CVE-2023-24536

Name of the Vulnerable Software and Affected Versions Golang (affected versions not specified)

Description The issue is related to the consumption of large amounts of CPU and memory when processing form inputs containing a large number of parts. This can be caused by several factors, including the undercounting of memory consumption by mime/multipart.Reader.ReadForm, increased pressure on the garbage collector from small allocations, and the allocation of short-lived buffers. An attacker can exploit this to cause a denial of service. The issue affects programs that use mime/multipart.Reader.ReadForm and form parsing in the net/http package with methods like FormFile, FormValue, ParseMultipartForm, and PostFormValue.

Recommendations To resolve the issue, update the mime/multipart package to a version that includes the fix for the issue. As a temporary workaround, consider setting environment variables GODEBUG=multipartmaxparts= and GODEBUG=multipartmaxheaders= to limit the size of parsed forms and the number of header fields, respectively. Restrict access to the mime/multipart.Reader.ReadForm function and the net/http package's form parsing methods to minimize the risk of exploitation. Avoid using the FormFile, FormValue, ParseMultipartForm, and PostFormValue methods in the net/http package until the issue is resolved.