VYPR
High severityNVD Advisory· Published Jul 17, 2023· Updated Oct 18, 2024

Attacker-controlled parameter can cause denial of service in hamba avro

CVE-2023-37475

Description

Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's github.com/hamba/avro/v2.Unmarshal() can throw a fatal error: runtime: out of memory which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to Unmarshal() to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit b4a402f4 which has been included in release version 2.13.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hamba/avroGo
< 2.13.02.13.0
github.com/hamba/avro/v2Go
< 2.13.02.13.0

Affected products

9

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.