CVE-2022-32149
Denial of Service vulnerability in text (Go)
What is CVE-2022-32149 About?
This vulnerability in the BCP 47 tag parser, specifically in 'golang.org/x/text/language', exhibits quadratic time complexity when parsing Accept-Language headers. This allows an attacker to cause a denial of service by sending crafted input that consumes significant processing time. Exploitation is relatively easy due to the parser's exposure to untrusted user input.
Affected Software
Technical Details
The BCP 47 tag parser, particularly in the golang.org/x/text/language package, has a design flaw that results in quadratic time complexity. When parsing an Accept-Language header, the processing time increases exponentially with the length or complexity of the input, specifically related to the number of dashes in the string. Since this parser is exposed to untrusted user input, a malicious actor can craft an Accept-Language header with an excessive number of dashes or deeply nested tags. This crafted input will cause the parser to consume disproportionate CPU resources and time, leading to resource exhaustion and a denial of service for the application or server utilizing the parser.
What is the Impact of CVE-2022-32149?
Successful exploitation may allow attackers to consume excessive system resources, leading to a denial of service for the affected application or server, impacting availability and responsiveness.
What is the Exploitability of CVE-2022-32149?
Exploitation involves sending specifically crafted HTTP Accept-Language headers to an application using the vulnerable BCP 47 tag parser. The complexity is low, as it primarily requires constructing a long string with many dashes. No authentication is required, as Accept-Language headers are typically sent with unauthenticated requests. No specific privileges are needed on the target system. This is a remote exploitation vulnerability, as the attack is delivered via HTTP requests. The primary condition is that the application uses the vulnerable golang.org/x/text/language package and exposes the BCP 47 parser to untrusted input. The risk is heightened when the application processes a large volume of requests or is critical for business operations, as it can be easily subjected to resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-32149?
About the Fix from Resolved Security
The patch limits the number of '-' characters in the Accept-Language header to 1000, rejecting overly long or complex header values with a specific error. This prevents resource exhaustion or denial-of-service caused by excessively large headers, which addresses the uncontrolled resource consumption vulnerability CVE-2022-32149.
Available Upgrade Options
- golang.org/x/text
- <0.3.8 → Upgrade to 0.3.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://go.dev/cl/442235
- https://osv.dev/vulnerability/GO-2022-1059
- https://github.com/golang/go/issues/56152
- https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c
- https://security.netapp.com/advisory/ntap-20230203-0006/
- https://pkg.go.dev/vuln/GO-2022-1059
- https://go.dev/issue/56152
- https://go.dev/cl/442235
- https://osv.dev/vulnerability/GHSA-69ch-w2m2-3vjp
- https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ
What are Similar Vulnerabilities to CVE-2022-32149?
Similar Vulnerabilities: CVE-2022-27774 , CVE-2021-27902 , CVE-2020-25695 , CVE-2018-8794 , CVE-2015-2010
