Skip to content

encoding/xml: stack exhaustion in Unmarshal #53611

New issue
New issue
Closed
Closed
encoding/xml: stack exhaustion in Unmarshal#53611
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.19
@tatianab

Description

@tatianab
tatianab
opened on Jun 29, 2022

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633.

(This was a PRIVATE issue tracked in http://b/227341754 and fixed by http://tg/1421319.)

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    Release Blockers

    Status

    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions