Excessive resource consumption in mime/multipart
CVE-2022-41725

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Mime/multipart
Vendor: CVE Published:; 28 February 2023

What is CVE-2022-41725?

A vulnerability in Go's net/http and mime/multipart packages allows for a denial of service due to excessive resource consumption. The multipart form parsing, specifically with functions like mime/multipart.Reader.ReadForm, can result in unbounded memory and disk usage, particularly when processing overly large or maliciously crafted forms. This is exacerbated by the unconfigurable 10MB reserved for non-file parts, leading to potential service disruption. While the updated ReadForm function now better manages memory allocation and limits the creation of temporary disk files, users must remain vigilant about the overall resource usage when handling multipart forms, as no inherent limit exists on disk consumption.

Affected Version(s)

mime/multipart 0 < 1.19.6

mime/multipart 1.20.0-0 < 1.20.1

References

https://go.dev/issue/58006

https://go.dev/cl/468124

https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2023
Vulnerability Reserved
Sep 28, 2022

Credit

Arpad Ryszka

Jakob Ackermann (@das7pad)

Go Standard Library

What is CVE-2022-41725?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit