CVE-2021-4236
CRITICALweb_project/web 1.4.0-1.5.2 - Null Pointer Dereference in WebSocket AuthenticateMethod
Title source: llmDescription
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
Exploit, Patch, Third Party Advisory
https://pkg.go.dev/vuln/GO-2021-0107
Scores
CVSS v3
9.8
EPSS
0.0112
EPSS Percentile
62.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-476
Status
published
Products (2)
ecnepsnai/web
1.4.0 - 1.5.2Go
web_project/web
1.4.0 - 1.5.2
Published
Dec 27, 2022
Tracked Since
Feb 18, 2026