PT-2024-2138 · Go+11 · Go+11

Bartek Nowotarski

Published

2024-03-05

Updated

2025-06-27

CVE-2023-45290

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Go versions prior to the fixed version

Description The issue is related to parsing multipart forms, where limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This allows a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. The ParseMultipartForm function now correctly limits the maximum size of form lines with the fix.

Recommendations For Go versions prior to the fixed version, consider updating to a version that includes the fix for the ParseMultipartForm function to correctly limit the maximum size of form lines. As a temporary workaround, consider restricting the use of the Request.ParseMultipartForm, Request.FormValue, Request.PostFormValue, or Request.FormFile functions to minimize the risk of exploitation. Avoid using these functions with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but updating to the latest version may help mitigate the risk.

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2024:2562

ALSA-2024:2724

ALSA-2024:3259

ALSA-2024:3346

ALSA-2024:3826

ALSA-2024:3827

ALSA-2024:3830

ALSA-2024:3831

ALSA-2024:5258

ALSA-2024:6969

ALSA-2024:8038

ALSA-2024:9135

ALT-PU-2024-11781

ALT-PU-2024-11872

ALT-PU-2024-13971

ALT-PU-2024-3504

ALT-PU-2024-3506

ALT-PU-2024-4847

AZL-37493

AZL-37504

AZL-79032

BDU:2024-02047

BIT-GOLANG-2023-45290

CESA-2024_3259

CESA-2024_3346

CESA-2024_5258

CESA-2024_6969

CESA-2024_8038

CVE-2023-45290

GHSA-RR6R-CFGF-GC6H

GO-2024-2599

INFSA-2024_2562

INFSA-2024_2724

INFSA-2024_3259

INFSA-2024_3346

INFSA-2024_3826

INFSA-2024_3827

INFSA-2024_3830

INFSA-2024_3831

INFSA-2024_5258

INFSA-2024_6969

INFSA-2024_8038

INFSA-2024_9135

MGASA-2024-0343

OESA-2024-1306

OESA-2025-1682

OESA-2025-1683

OESA-2025-1690

OPENSUSE-SU-2024:13752-1

OPENSUSE-SU-2024:13756-1

OPENSUSE-SU-2024_0812-1

OPENSUSE-SU-2024_3089-1

OPENSUSE-SU-2024_3755-1

RHSA-2024:0045

RHSA-2024:2562

RHSA-2024:2724

RHSA-2024:3259

RHSA-2024:3346

RHSA-2024:3781

RHSA-2024:3826

RHSA-2024:3827

RHSA-2024:3830

RHSA-2024:3831

RHSA-2024:4023

RHSA-2024:4893

RHSA-2024:5075

RHSA-2024:5077

RHSA-2024:5202

RHSA-2024:5258

RHSA-2024:5436

RHSA-2024:5442

RHSA-2024:5446

RHSA-2024:5810

RHSA-2024:6969

RHSA-2024:8038

RHSA-2024:9135

RHSA-2024_2562

RHSA-2024_2724

RHSA-2024_3259

RHSA-2024_3346

RHSA-2024_3826

RHSA-2024_3827

RHSA-2024_3830

RHSA-2024_3831

RHSA-2024_5258

RHSA-2024_6969

RHSA-2024_8038

RHSA-2024_9135

RLSA-2024:2562

RLSA-2024:2724

RLSA-2024:3259

RLSA-2024:3346

RLSA-2024:3826

RLSA-2024:3827

RLSA-2024:3830

RLSA-2024:5258

RLSA-2024:8038

RLSA-2024:9135

SUSE-SU-2024:0800-1

SUSE-SU-2024:0811-1

SUSE-SU-2024:0812-1

SUSE-SU-2024:0936-1

SUSE-SU-2024:3089-1

SUSE-SU-2024:3755-1

SUSE-SU-2024:3772-1

SUSE-SU-2024:3938-1

USN-6886-1

USN-7109-1

USN-7111-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2024-2138 · Go+11 · Go+11

CVE-2023-45290

Weakness Enumeration

Related Identifiers

Affected Products

References · 258