Vulnerability Report: GO-2022-0233

CVE-2021-23409, GHSA-xcf7-q56x-78gh
Affects: github.com/pires/go-proxyproto
Published: Jul 01, 2022
Modified: May 20, 2024

The PROXY protocol server does not impose a timeout on reading the header from new connections, allowing a malicious client to cause resource exhaustion and a denial of service by opening many connections and sending no data on them. v0.6.0 of the proxyproto package adds support for a user-defined header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2 increases the default timeout to 10s.

Affected Packages

Path

Go Versions

Symbols
github.com/pires/go-proxyproto

before v0.6.1
- Listener.Accept

Aliases

CVE-2021-23409
GHSA-xcf7-q56x-78gh

References

https://github.com/pires/go-proxyproto/pull/74
https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346
https://github.com/pires/go-proxyproto/issues/65
https://vuln.go.dev/ID/GO-2022-0233.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL