Skip to content
This repository was archived by the owner on Jul 31, 2025. It is now read-only.
This repository was archived by the owner on Jul 31, 2025. It is now read-only.

Security Vulnerabilities - CVE-2021-33194, CVE-2021-38561, CVE-2022-32149 #1695

Description

@vishweshwarp

Hi Team,

Can you please fix the following security vulnerabilities?

CVE-2021-33194: golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Fix Status: fixed in 0.0.0-20210520170846-37e1c6afe023

CVE-2021-38561: golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
Fix Status: fixed in 0.3.7

CVE-2022-32149: (golang.org/x/text) An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Fix Status: fixed in 0.3.8

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions