CVE-2022-28131 in Google
Summary
by MITRE • 08/11/2022
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2022-28131 represents a critical security flaw in the Go programming language's xml package that affects versions prior to Go 1.17.12 and Go 1.18.4. This issue manifests as uncontrolled recursion within the Decoder.Skip method, which is a fundamental component responsible for parsing XML documents. The vulnerability arises from the lack of proper recursion depth validation during XML parsing operations, creating a potential denial of service scenario that can be exploited by malicious actors.
The technical implementation of this vulnerability occurs when an attacker crafts a deeply nested XML document that exceeds the system's stack capacity during parsing. The Decoder.Skip method in the encoding/xml package does not enforce recursion limits, allowing attackers to construct XML structures with excessive nesting levels that cause the Go runtime to exhaust available stack space. This results in a panic condition that terminates the application process, effectively creating a denial of service condition. The flaw specifically affects the recursive parsing logic that traverses XML element hierarchies, where each nested element triggers another recursive call without proper depth checking mechanisms.
From an operational perspective, this vulnerability presents significant risks to applications that process untrusted XML input, particularly those serving web services, APIs, or processing user-submitted data. Attackers can exploit this weakness by submitting maliciously crafted XML documents that appear legitimate but contain excessive nesting levels designed to trigger stack exhaustion. The impact extends beyond simple service disruption as it can affect system availability, potentially leading to cascading failures in dependent services and applications. The vulnerability is particularly concerning in environments where XML parsing is a common operation, such as enterprise applications, web servers, and middleware systems that handle XML-based communication protocols.
The mitigation strategy for CVE-2022-28131 involves upgrading to Go versions 1.17.12 or 1.18.4, which include the necessary fixes to prevent uncontrolled recursion in the xml package. Organizations should prioritize patching affected systems and conducting thorough testing to ensure compatibility with the updated runtime. Additional defensive measures include implementing XML parsing limits, validating input size constraints, and employing XML schema validation to detect and reject malformed documents before they reach the vulnerable parsing logic. This vulnerability aligns with CWE-674, which describes "Uncontrolled Recursion" as a weakness that occurs when a recursive function lacks proper termination conditions or depth limits. The attack pattern can be categorized under ATT&CK technique T1499.004, which covers "Endpoint Denial of Service" through resource exhaustion attacks that target application stack space limitations.