Skip to content

Denial of Service in http-swagger

High severity GitHub Reviewed Published Apr 18, 2022 in swaggo/http-swagger • Updated Mar 4, 2024

Package

gomod github.com/swaggo/http-swagger (Go)

Affected versions

< 1.2.6

Patched versions

1.2.6

Description

Impact

Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system.

Patches

Yes. Please upgrade to v1.2.6.

Workarounds

A workaround is to restrict the path prefix to the "GET" method. As shown below

func main() {
	r := mux.NewRouter()

	r.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
		httpSwagger.URL("http://localhost:1323/swagger/doc.json"), //The url pointing to API definition
		httpSwagger.DeepLinking(true),
		httpSwagger.DocExpansion("none"),
		httpSwagger.DomID("#swagger-ui"),
	)).Methods(http.MethodGet)

References

Reporter dongguangli from https://www.huoxian.cn/ company

For more information

If you have any questions or comments about this advisory:

References

@ubogdan ubogdan published to swaggo/http-swagger Apr 18, 2022
Published by the National Vulnerability Database Apr 18, 2022
Published to the GitHub Advisory Database Apr 22, 2022
Reviewed Apr 22, 2022
Last updated Mar 4, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2022-24863

GHSA ID

GHSA-xg75-q3q5-cqmv

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.