CVE-2021-38561
Denial of Service vulnerability in text (Go)
What is CVE-2021-38561 About?
golang.org/x/text, specifically the language package before 0.3.7, is vulnerable to an out-of-bounds read during BCP 47 language tag parsing. This flaw allows an attacker to cause a panic in the application, leading to a denial-of-service attack. Exploitation occurs by providing untrusted user input that triggers the parsing error.
Affected Software
Technical Details
The vulnerability resides in the golang.org/x/text/language package (versions prior to 0.3.7), which mishandles index calculation during BCP 47 language tag parsing. When parsing a specially crafted, untrusted user input as a language tag, the faulty index calculation can lead to an out-of-bounds read error. This in turn causes the application to panic and terminate unexpectedly. The attack vector involves providing malformed BCP 47 language tags that exploit this parsing deficiency, resulting in a denial-of-service condition.
What is the Impact of CVE-2021-38561?
Successful exploitation may allow attackers to cause applications to crash, leading to a denial of service and disrupting the availability of services that process BCP 47 language tags.
What is the Exploitability of CVE-2021-38561?
Exploitation involves providing specially crafted, untrusted user input that triggers the out-of-bounds read during BCP 47 language tag parsing. This suggests a moderate complexity in crafting the malicious input. There are no specific authentication or privilege requirements; the attacker only needs the ability to supply input that is processed as a BCP 47 language tag. This can be a remote or local attack, depending on how user input is handled in the application. A key risk factor is applications that accept and parse untrusted language tags (e.g., from HTTP headers, user profiles) without proper validation using vulnerable versions of golang.org/x/text/language.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-38561?
About the Fix from Resolved Security
The patch adds defer-recover blocks to parsing functions to ensure that malformed or malicious input cannot cause panics, which previously could crash the process or be exploitable. This addresses CVE-2021-38561 by guaranteeing parsing errors always return safe error values instead of allowing a panic to propagate, thus preventing denial-of-service attacks via crafted strings.
Available Upgrade Options
- golang.org/x/text
- <0.3.7 → Upgrade to 0.3.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://go.dev/cl/340830
- https://nvd.nist.gov/vuln/detail/CVE-2021-38561
- https://pkg.go.dev/golang.org/x/text/language
- https://groups.google.com/g/golang-announce
- https://pkg.go.dev/golang.org/x/text/language
- https://osv.dev/vulnerability/GHSA-ppp9-7jff-5vj2
- https://deps.dev/advisory/OSV/GO-2021-0113
- https://groups.google.com/g/golang-announce
- https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f
- https://pkg.go.dev/vuln/GO-2021-0113
What are Similar Vulnerabilities to CVE-2021-38561?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-39325 , CVE-2022-41723 , CVE-2022-28131 , CVE-2021-36222
