High severity7.5NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026

CVE-2017-1000098

Description

The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.

Affected products

Golang/Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Range: <1.6.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

golang.org/cl/30410nvdIssue TrackingPatchVendor Advisory
golang.org/issue/17965nvdIssue TrackingPatchVendor Advisory
groups.google.com/forum/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000