Infinite loop in github.com/btcsuite/go-socks
Description
The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack overflow vulnerability in the go-socks SOCKS5 proxy library allows attackers to crash programs by triggering infinite loops in the LocalAddr and RemoteAddr methods.
Vulnerability
Analysis
The vulnerability resides in the go-socks library, a SOCKS5 proxy implementation for Go [1]. The RemoteAddr and LocalAddr methods on the net.Conn returned by the proxy's dial functions contain a recursive call to themselves instead of delegating to the underlying connection's methods. This programming error leads to an infinite loop when either method is invoked, ultimately causing a stack overflow and crashing the program [2][4]. The bug was present in versions of go-socks before commit 233bccbb1abe02f05750f7ace66f5bffdb13defc [2].
Attack
Vector
An attacker can trigger the vulnerability by establishing a SOCKS5 proxy connection through the affected library and then calling RemoteAddr() or LocalAddr() on the connection object returned by the proxy dial. The attacker must be able to create a proxy connection (requiring network access to the proxy server) and invoke the affected methods. No special privileges are needed beyond the ability to use the SOCKS5 proxy functionality. The crash occurs regardless of the actual address values because the methods unconditionally invoke themselves [3][4].
Impact
The primary impact is a denial of service. A remote attacker can crash any Go application that uses the vulnerable version of go-socks to handle proxy connections, simply by triggering a call to LocalAddr or RemoteAddr on the proxy's connection object. The stack overflow may also lead to uncontrolled memory consumption before the crash, potentially affecting other services on the same system. No code execution or data leakage has been reported for this vulnerability [1][4].
Mitigation
The fix was committed to the repository on August 8, 2013, and is included in versions after v0.0.0-20130808000456-233bccbb1abe [2]. Users should update to the latest version of the module. The vulnerability has been cataloged in the Go vulnerability database as GO-2020-0024 and retroactively assigned CVE-2013-10005 [4]. No known workarounds exist other than upgrading.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/btcsuite/go-socksGo | < 0.0.0-20130808000456-233bccbb1abe | 0.0.0-20130808000456-233bccbb1abe |
github.com/btcsuitereleases/go-socksGo | < 0.0.0-20130808000456-233bccbb1abe | 0.0.0-20130808000456-233bccbb1abe |
Affected products
5- ghsa-coords2 versions
< 0.0.0-20130808000456-233bccbb1abe+ 1 more
- (no CPE)range: < 0.0.0-20130808000456-233bccbb1abe
- (no CPE)range: < 0.0.0-20130808000456-233bccbb1abe
- github.com/btcsuite/go-socks/github.com/btcsuite/go-socksv5Range: 0
- github.com/btcsuitereleases/go-socks/github.com/btcsuitereleases/go-socksv5Range: 0
Patches
1233bccbb1abefix potential infinite loops in both LocalAddr and RemoteAddr
1 file changed · +2 −2
conn.go+2 −2 modified@@ -31,14 +31,14 @@ func (c *proxiedConn) LocalAddr() net.Addr { if c.boundAddr != nil { return c.boundAddr } - return c.LocalAddr() + return c.conn.LocalAddr() } func (c *proxiedConn) RemoteAddr() net.Addr { if c.remoteAddr != nil { return c.remoteAddr } - return c.RemoteAddr() + return c.conn.RemoteAddr() } func (c *proxiedConn) SetDeadline(t time.Time) error {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.