Buffer under-read in workerd
Description
Integer overflow in workerd's FormData API allowed out-of-bounds memory read with forEach() on >2^31 elements, requiring extreme resources and patched in v1.20230419.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in workerd's FormData API allowed out-of-bounds memory read with forEach() on >2^31 elements, requiring extreme resources and patched in v1.20230419.0.
What the vulnerability is
CVE-2023-2512 is an integer overflow vulnerability in the FormData API implementation of Cloudflare's workerd runtime, which powers Cloudflare Workers. Prior to version v1.20230419.0, if a FormData instance contained more than 2^31 elements, the forEach() method could read from an incorrect memory location while iterating, leading to a segmentation fault or potentially arbitrary undefined behavior [1][4].
How it is exploited
Exploitation requires extreme conditions: the process must be able to allocate approximately 160 GB of RAM, and an attacker would need to upload a single form-encoded HTTP request of tens of gigabytes in size. The application must then invoke request.formData() to parse the request and formData.forEach() to iterate over the data. The vendor assessed the exploitation likelihood as Low due to these substantial resource requirements and the fact that the bug was never exploitable on the Cloudflare Workers platform itself [1][4].
Impact
If successfully triggered, the out-of-bounds memory read could cause a segmentation fault, crashing the process, or in worst-case scenarios allow arbitrary undefined behavior, potentially leading to memory corruption or information disclosure. However, the practical exploitability is extremely limited given the memory and bandwidth prerequisites [1].
Mitigation status
A fix was released in version v1.20230419.0 [3]. Users are urged to update to the latest version available. The GitHub advisory provides patching details, and the project's release notes confirm the remediation [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
workerdnpm | < 1.20230419.0 | 1.20230419.0 |
Affected products
2- Range: v1.20221108.0
Patches
13c43e16e0e29Bump compatibility date to `2023-04-19` for release (#549)
1 file changed · +1 −1
src/workerd/io/compatibility-date.capnp+1 −1 modified@@ -8,7 +8,7 @@ using Cxx = import "/capnp/c++.capnp"; $Cxx.namespace("workerd"); $Cxx.allowCancellation; -const supportedCompatibilityDate :Text = "2023-04-04"; +const supportedCompatibilityDate :Text = "2023-04-19"; # Newest compatibility date that can safely be set using code compiled from this repo. Trying to # run a Worker with a newer compatibility date than this will fail. #
Vulnerability mechanics
Root cause
"Integer overflow in FormData API's forEach() iteration logic when element count exceeds 2^31."
Attack vector
An attacker would need to upload a single form-encoded HTTP request of at least tens of gigabytes in size, which the application then parses via `request.formData()`. The application must subsequently call `formData.forEach()` on the resulting FormData object containing more than 2^31 elements. The integer overflow in the iteration logic causes `forEach()` to read from the wrong memory location, likely leading to a segmentation fault or potentially arbitrary undefined behavior [patch_id=1641062].
Affected code
The vulnerability resides in the FormData API implementation within workerd. The patch file `src/workerd/io/compatibility-date.capnp` only bumps the compatibility date string from `"2023-04-04"` to `"2023-04-19"`; the actual fix for the integer overflow is not visible in this diff. The advisory states that when a FormData instance contains more than 2^31 elements, the `forEach()` method reads from incorrect memory locations during iteration.
What the fix does
The patch shown only updates the supported compatibility date from `"2023-04-04"` to `"2023-04-19"` in `compatibility-date.capnp` [patch_id=1641062]. This date bump gates the release that contains the actual integer overflow fix in the FormData implementation. By advancing the compatibility date, the fix is enabled for all Workers using the new date, preventing the `forEach()` method from reading out-of-bounds memory when iterating over more than 2^31 elements.
Preconditions
- configThe process must be able to allocate approximately 160 GB of RAM to hold a FormData object with more than 2^31 elements.
- inputAn attacker must upload a single form-encoded HTTP request of at least tens of gigabytes in size.
- inputThe application must call request.formData() to parse the request and then formData.forEach() to iterate over the data.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.