Description
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
References (2)
Core 2
Core References
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21topic/golang-announce/bXVeAmGOqz0
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/
Scores
CVSS v3
7.5
EPSS
0.0001
EPSS Percentile
0.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (3)
fedoraproject/fedora
32
golang/text
< 0.3.3
x/text
0 - 0.3.3Go
Published
Jun 17, 2020
Tracked Since
Feb 18, 2026