Medium severity6.5NVD Advisory· Published Mar 5, 2024· Updated Apr 15, 2026

CVE-2023-45290

Description

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2024/03/08/4nvd
go.dev/cl/569341nvd
go.dev/issue/65383nvd
groups.google.com/g/golang-announce/c/5pwGVUPoMbgnvd
pkg.go.dev/vuln/GO-2024-2599nvd
security.netapp.com/advisory/ntap-20240329-0004/nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000