VYPR
High severity7.5OSV Advisory· Published Jul 1, 2024· Updated Apr 15, 2026

CVE-2024-37298

CVE-2024-37298

Description

gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running schema.Decoder.Decode() on a struct that has a field of type []struct{...} opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gorilla/schemaGo
< 1.4.11.4.1

Affected products

42

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.