[security] Vulnerability in golang.org/x/text/language

213 views
Skip to first unread message

Roland Shoemaker

unread,
Oct 11, 2022, 1:02:05 PM10/11/22
to golang-...@googlegroups.com
Hello gophers,

Version v0.3.8 of golang.org/x/text fixes a vulnerability in the golang.org/x/text/language package which could cause a denial of service.

An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

This issue was discovered by OSS-Fuzz and reported to us by Adam Korczynski (ADA Logics), and is tracked as CVE-2022-32149 and https://go.dev/issue/56152.

Cheers,
Roland on behalf of the Go team
Reply all
Reply to author
Forward
0 new messages