High severityNVD Advisory· Published Mar 18, 2020· Updated Aug 4, 2024

CVE-2019-11939

Description

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/facebook/fbthriftGo	< 0.31.1-0.20200311080807-483ed864d69f	0.31.1-0.20200311080807-483ed864d69f

Affected products

osv-coords23 versions
pkg:apk/chainguard/libthrift pkg:apk/chainguard/libthrift-glib pkg:apk/chainguard/libthriftnb pkg:apk/chainguard/libthriftz pkg:apk/chainguard/py3.10-thrift pkg:apk/chainguard/py3.11-thrift pkg:apk/chainguard/py3.12-thrift pkg:apk/chainguard/py3.13-thrift pkg:apk/chainguard/py3-supported-thrift pkg:apk/chainguard/thrift pkg:apk/chainguard/thrift-dev pkg:apk/wolfi/libthrift pkg:apk/wolfi/libthrift-glib pkg:apk/wolfi/libthriftnb pkg:apk/wolfi/libthriftz pkg:apk/wolfi/py3.10-thrift pkg:apk/wolfi/py3.11-thrift pkg:apk/wolfi/py3.12-thrift pkg:apk/wolfi/py3.13-thrift pkg:apk/wolfi/py3-supported-thrift pkg:apk/wolfi/thrift pkg:apk/wolfi/thrift-dev pkg:golang/github.com/facebook/fbthrift
< 0+ 22 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.31.1-0.20200311080807-483ed864d69f
Facebook/Facebookcpe-rescue
Range: unspecified

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w3r9-r9w7-8h48ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-11939ghsaADVISORY
github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757ghsax_refsource_MISCWEB
pkg.go.dev/vuln/GO-2021-0082ghsaWEB
www.facebook.com/security/advisories/cve-2019-11939ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000