VYPR
Medium severity5.9NVD Advisory· Published Nov 28, 2023· Updated Jun 17, 2026

CVE-2023-45286

CVE-2023-45286

Description

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-resty/resty/v2Go
>= 2.10.0, < 2.11.02.11.0

Affected products

8

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.