7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
62.1%
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.
CPE | Name | Operator | Version |
---|---|---|---|
golang.org/x/text | lt | 0.3.8 |
github.com/advisories/GHSA-69ch-w2m2-3vjp
github.com/golang/go/issues/56152
github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c
go.dev/cl/442235
go.dev/issue/56152
groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ
nvd.nist.gov/vuln/detail/CVE-2022-32149
pkg.go.dev/vuln/GO-2022-1059