golang.org/x/text/language Denial of service via crafted Accept-Language header

Overview

Source
ID
GHSA-69ch-w2m2-3vjp
Aliases
CVE-2022-32149
GO-2022-1059
Affected package

Description

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

### Specific Go Packages Affected golang.org/x/text/language

Impact

Severity
Latest version of the CVSS score reported by the source of the advisory.
7.5 HIGH
Reference links

Summary

102.15k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
12.04k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
7.62%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
golang.org/x/text
Affected Version: Introduced: 0, Fixed: 0.3.8
Patched/Unaffected
v0.3.8
v0.3.9-0.20221012202458-252bee03417d
v0.3.9-0.20221014173359-1bdb400fb39a
v0.4.0
v0.4.1-0.20221110184632-c8236a6712b1
v0.5.0
v0.5.1-0.20221206182405-ec5565b1b747
v0.6.0
v0.7.0
v0.8.0
v0.9.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.14.1-0.20240415181438-8d533a0c40ad
v0.15.0
v0.16.0
v0.16.1-0.20240716160804-ae0cf96bbcd9
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.20.1-0.20241204160430-d42948e5579e
v0.21.0
Affected
v0.3.8-0.20220919155907-795e854ff348
v0.3.8-0.20220509174342-b4bca84b0361
v0.3.8-0.20220504184655-ea49e3e2d5b3
v0.3.8-0.20220428233042-78819d01d041
v0.3.8-0.20220124021120-d1c84af989ab
v0.3.8-0.20211105212822-18b340fc7af2
v0.3.8-0.20211004125949-5bd84dd9b33b
v0.3.7
v0.3.7-0.20210524175448-3115f89c4b99
v0.3.7-0.20210503195748-5c7c50ebbd4f
v0.3.7-0.20210411120140-c2d28a6ddf6c
v0.3.6
v0.3.6-0.20210227105805-e3aa4adf54f6
v0.3.6-0.20210220033129-8f690f22cf1c
v0.3.5
v0.3.5-0.20201208001344-75a595aef632
v0.3.5-0.20201125200606-c27b9fd57aec
v0.3.5-0.20201118010606-4482a914f523
v0.3.5-0.20201021145329-22f1617af38e
v0.3.4
v0.3.4-0.20200826142016-a8b467125457
v0.3.4-0.20200821135104-79eda68eebff
v0.3.3
v0.3.3-0.20200513185708-81608d7e9c68
v0.3.3-0.20200430171850-afb9336c4530
v0.3.3-0.20200425225943-6ca2caf96f15
v0.3.3-0.20200306154105-06d492aade88
v0.3.3-0.20191230102452-929e72ca90de
v0.3.3-0.20191122225017-cbf43d21aaeb
v0.3.3-0.20191031172631-4b67af870c6f
v0.3.3-0.20190829152558-3d0f7978add9
v0.3.2
v0.3.1
v0.3.1-0.20190410012825-f4905fbd45b6
v0.3.1-0.20190327094805-e3703dcdd614
v0.3.1-0.20190321115727-fe223c5a2583
v0.3.1-0.20190306152657-5d731a35f486
v0.3.1-0.20190213135515-6c92c7dc7f53
v0.3.1-0.20181227161524-e6919f6577db
v0.3.1-0.20181211190257-17bcc049122f
v0.3.1-0.20181030141323-6f44c5a2ea40
v0.3.1-0.20181010134911-4d1c5fb19474
v0.3.1-0.20180911161511-905a57155faa
v0.3.1-0.20180810153555-6e3c4e7365dd
v0.3.1-0.20180807135948-17ff2d5776d2
v0.3.1-0.20180805044716-cb6730876b98
v0.3.1-0.20180708171225-0605a8320ace
v0.3.1-0.20180629073911-c0fe8dde8a10
v0.3.1-0.20180617084112-5cec4b58c438
v0.3.1-0.20180511172408-5c1cf69b5978
v0.3.1-0.20180410181320-7922cc490dd5
v0.3.1-0.20180404182636-2cb43934f0ee
v0.3.1-0.20180323135613-ab48842968a6
v0.3.1-0.20180315130413-8c34f848e18c
v0.3.1-0.20180302201248-b7ef84aaf62a
v0.3.1-0.20180223193632-27420a1a391f
v0.3.1-0.20180221121826-9e2b64d659da
v0.3.1-0.20180208041248-4e4a3210bb54
v0.3.1-0.20171227012246-e19ae1496984
v0.3.1-0.20171214130843-f21a4dfb5e38
v0.3.0
v0.2.0
v0.1.1-0.20171204161852-57961680700a
v0.1.1-0.20171130091538-75cc3cad82b5
v0.1.1-0.20171128102810-572a2b141f62
v0.1.1-0.20171102192421-88f656faf3f3
v0.1.1-0.20171024115504-6eab0e8f74e8
v0.1.1-0.20171013141220-c01e4764d870
v0.1.1-0.20171006144033-825fc78a2fd6
v0.1.1-0.20171005092100-d82c1812e304
v0.1.1-0.20170915090833-1cbadb444a80
v0.1.1-0.20170915032832-14c0d48ead0c
v0.1.0
v0.0.0-20170901153044-bd91bbf73e9a
v0.0.0-20170825072521-ac87088df8ef
v0.0.0-20170814122439-e56139fd9c5b
v0.0.0-20170810154203-b19bf474d317
v0.0.0-20170730040918-3bd178b88a81
v0.0.0-20170714085652-836efe42bb4a
v0.0.0-20170706130353-cfdf022e86b4
v0.0.0-20170630100924-2bf8f2a19ec0
v0.0.0-20170627122817-6353ef0f9243
v0.0.0-20170620092331-4e9ab9ee170f
v0.0.0-20170613125402-3491b61b9edc
v0.0.0-20170609090223-210eee5cf732
v0.0.0-20170606172603-ab6d1c143672
v0.0.0-20170603003618-ccbd3f782212
v0.0.0-20170530162606-4ee4af566555
v0.0.0-20170512150324-19e51611da83
v0.0.0-20170427093521-470f45bf29f4
v0.0.0-20170401064109-f4b4367115ec
v0.0.0-20170323194135-fc7fa097411d
v0.0.0-20170322140210-b00b5aff2fd7
v0.0.0-20170223083118-4687d739464a
v0.0.0-20170117123646-11dbc599981c
v0.0.0-20170113092929-f72d8390a633
v0.0.0-20170105193844-44f4f658a783
v0.0.0-20161230201740-fd889fe3a20f
v0.0.0-20161216064924-a49bea13b776
v0.0.0-20161209224335-47a200a05c8b
v0.0.0-20161027091323-a8b38433e35b
v0.0.0-20161020133420-5a42fa246475
v0.0.0-20160922232553-a7c023693a94
v0.0.0-20160915075942-04b8648d973c
v0.0.0-20160908145610-1e65e9bf72c3
v0.0.0-20160816092153-d69c40b4be55
v0.0.0-20160726164857-2910a502d2bf
v0.0.0-20160719205907-0a5a09ee4409
v0.0.0-20160702143019-ce78b075c2fb
v0.0.0-20160429144731-bd1c9905f55d
v0.0.0-20160407075239-5ee49cfe7511
v0.0.0-20151217213507-cf4986612c83