Infinite loop when decoding some inputs in golang.org/x/text

Overview

Source
ID
GO-2020-0015
Aliases
CVE-2020-14040
GHSA-5rcv-m4m3-hfh7
Affected package

Description

An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.

Summary

36.65k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
5.36k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
2.78%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.3.3
Patched/Unaffected
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
Affected