CVE-2024-37298

Name of the Vulnerable Software and Affected Versions gorilla/schema versions prior to 1.4.1

Description The issue concerns a memory exhaustion vulnerability in gorilla/schema. When schema.Decoder.Decode() is run on a struct that has a field of type []struct{...}, it opens up the possibility of malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. For instance, an attacker can specify a field of a large index in an array, causing the allocation of all preceding elements in the slice, which can lead to memory exhaustion. This can be exploited through API endpoints, such as /innocent endpoint?arr.10000000.X=1, where arr is an array of structs.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints that use schema.Decoder.Decode() on structs with arrays of other structs to minimize the risk of exploitation. Avoid using schema.Decoder.Decode() on structs with arrays of other structs until the issue is resolved.