Infinite loop in parsing in go/scanner
CVE-2023-24537

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Go/scanner
Vendor: CVE Published:; 6 April 2023

What is CVE-2023-24537?

This vulnerability occurs in the Go programming language when the Parse functions are called on source code that includes //line directives with excessively large line numbers. These large values can lead to integer overflow, resulting in an infinite loop that may freeze or crash applications relying on the affected code. Developers should ensure that their code does not utilize excessively large line numbers to avoid this issue and maintain robust application performance.

Affected Version(s)

go/scanner 0 < 1.19.8

go/scanner 1.20.0-0 < 1.20.3

References

https://go.dev/issue/59180

https://go.dev/cl/482078

https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 6, 2023
Vulnerability Reserved
Jan 25, 2023

Credit

Philippe Antoine (Catena cyber)

Go Standard Library

What is CVE-2023-24537?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit