CVE-2019-0210
Description
Apache Thrift 0.9.3 to 0.12.0 Go servers using TJSONProtocol or TSimpleJSONProtocol can panic on crafted input, causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Thrift 0.9.3 to 0.12.0 Go servers using TJSONProtocol or TSimpleJSONProtocol can panic on crafted input, causing a denial of service.
Vulnerability
Overview
Apache Thrift versions 0.9.3 through 0.12.0 contain a denial-of-service vulnerability affecting Go server implementations. When a server uses the TJSONProtocol or TSimpleJSONProtocol, specially crafted invalid input data can trigger a panic, crashing the server [1][2][3][4]. The root cause is improper handling of malformed JSON in the Go runtime, leading to an unhandled panic rather than a graceful error.
Exploitation
Conditions
An unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted JSON payload to an affected Thrift endpoint. The attack requires network access to the server's listening port but does not require authentication or prior knowledge [4]. The vulnerability is specific to Go-based servers using these particular JSON protocols; other languages or protocols within Thrift are not affected.
Impact
Successful exploitation results in a denial-of-service (DoS) condition, causing the target server to panic and terminate abruptly. This can lead to service disruption, requiring manual restart or automated recovery mechanisms to restore availability [1][2][3][4]. The impact is limited to availability, as there is no evidence of remote code execution or data exfiltration.
Mitigation
Apache has addressed the issue in Thrift releases after 0.12.0. Users of affected versions should upgrade to a patched release. Red Hat has provided updates for JBoss Enterprise Application Platform (EAP) that include the fix (RHSA-2020:0804, RHSA-2020:0805, RHSA-2020:0806) [1][2][3]. No workaround is available beyond upgrading or avoiding the use of the vulnerable protocols.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apache/thriftGo | >= 0.9.3, < 0.13.0 | 0.13.0 |
Affected products
2- Apache/Apache Thriftv5Range: 0.9.3 to 0.12.0
Patches
1264a3f318ed3additional test for TSimpleJSONProtocol
3 files changed · +25 −6
lib/go/thrift/json_protocol.go+1 −4 modified@@ -32,10 +32,7 @@ const ( // for references to _ParseContext see tsimplejson_protocol.go // JSON protocol implementation for thrift. -// -// This protocol produces/consumes a simple output format -// suitable for parsing by scripting languages. It should not be -// confused with the full-featured TJSONProtocol. +// Utilizes Simple JSON protocol // type TJSONProtocol struct { *TSimpleJSONProtocol
lib/go/thrift/simple_json_protocol.go+2 −2 modified@@ -60,7 +60,7 @@ func (p _ParseContext) String() string { return "UNKNOWN-PARSE-CONTEXT" } -// JSON protocol implementation for thrift. +// Simple JSON protocol implementation for thrift. // // This protocol produces/consumes a simple output format // suitable for parsing by scripting languages. It should not be @@ -1316,7 +1316,7 @@ func (p *TSimpleJSONProtocol) readNumeric() (Numeric, error) { func (p *TSimpleJSONProtocol) safePeekContains(b []byte) bool { for i := 0; i < len(b); i++ { a, _ := p.reader.Peek(i + 1) - if len(a) == 0 || a[i] != b[i] { + if len(a) < (i+1) || a[i] != b[i] { return false } }
lib/go/thrift/simple_json_protocol_test.go+22 −0 modified@@ -714,3 +714,25 @@ func TestWriteSimpleJSONProtocolMap(t *testing.T) { } trans.Close() } + +func TestWriteSimpleJSONProtocolSafePeek(t *testing.T) { + trans := NewTMemoryBuffer() + p := NewTSimpleJSONProtocol(trans) + trans.Write([]byte{'a', 'b'}) + trans.Flush(context.Background()) + + test1 := p.safePeekContains([]byte{'a', 'b'}) + if !test1 { + t.Fatalf("Should match at test 1") + } + + test2 := p.safePeekContains([]byte{'a', 'b', 'c', 'd'}) + if test2 { + t.Fatalf("Should not match at test 2") + } + + test3 := p.safePeekContains([]byte{'x', 'y'}) + if test3 { + t.Fatalf("Should not match at test 3") + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
21- access.redhat.com/errata/RHSA-2020:0804ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0805ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0806ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0811ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jq7p-26h5-w78rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0210ghsaADVISORY
- security.gentoo.org/glsa/202107-32ghsavendor-advisoryx_refsource_GENTOOWEB
- mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3C277A46CA87494176B1BBCF5D72624A2A%40HAGGIS%3Eghsax_refsource_CONFIRMWEB
- github.com/apache/thrift/blob/master/CHANGES.mdghsaWEB
- github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2ghsaWEB
- lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142@%3Ccommits.pulsar.apache.org%3EghsaWEB
- pkg.go.dev/vuln/GO-2021-0101ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujul2021.htmlghsaWEB
News mentions
0No linked articles in our index yet.