CVE-2023-37788

Vulnerability

Description

CVE-2023-37788 is a denial-of-service (DoS) vulnerability in the goproxy library version 1.1, which is a Go-based HTTP/HTTPS proxy. The issue stems from a nil pointer dereference occurring when the proxy, running in Man-in-the-Middle (MITM) mode, receives a specially crafted HTTP request where the path is replaced with an asterisk (*). This malformed request causes a panic, crashing the proxy server and leading to a denial of service [4].

Exploitation

Details

To exploit the vulnerability, an attacker must be able to send traffic through the goproxy instance configured in MITM mode. The exploit is straightforward: the attacker sends a request like GET * HTTP/1.1 over an SSL connection to the proxy. The proxy's handleHttps function at https.go:249 fails to properly validate the request, resulting in a nil pointer dereference and a segmentation fault [4]. No authentication is required; the attack can be executed from any network client that can reach the proxy.

Impact

Successful exploitation causes the goproxy process to crash, disrupting all proxy services for legitimate users. Since goproxy is often used as a building block in larger systems (e.g., Kubernetes CSI drivers), a crash can have cascading effects on dependent applications [2]. The vulnerability has a CVSS severity of 5.9 (medium) and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation potential [3].

Mitigation

The issue has been addressed in commit f99041a5c (PR #507), which adds proper nil checks for the request object [1][2]. Users should update to a version of goproxy that includes this fix. For applications that cannot immediately update, a workaround is to avoid enabling MITM mode unless necessary, as the vulnerability only manifests in MITM mode [4].