CVE-2022-30630 in Google
Summary
by MITRE • 08/11/2022
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2022-30630 represents a critical security flaw in the Go programming language's io/fs package that affects versions prior to Go 1.17.12 and Go 1.18.4. This issue stems from uncontrolled recursion within the Glob function implementation, which processes file path patterns using globbing syntax. The flaw manifests when an attacker crafts a malicious path containing an excessive number of path separators that triggers recursive processing without proper bounds checking. The underlying technical implementation fails to impose adequate recursion depth limits or stack usage constraints during path traversal operations, creating a condition where the call stack can be exhausted through carefully constructed input sequences. This vulnerability specifically impacts applications that utilize the io/fs package for file system operations and pattern matching, particularly those implementing glob pattern matching against user-supplied input or untrusted data sources. The flaw operates at the core level of Go's file system abstraction layer, where the Glob function is designed to expand file path patterns but becomes susceptible to stack overflow conditions when processing malformed paths with excessive nesting levels.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can be exploited to cause application crashes and system instability across affected Go applications. When an attacker supplies a path with numerous consecutive path separators, the recursive Glob function enters an infinite or excessively deep recursion loop that consumes system stack space until exhaustion occurs. This results in a panic condition that terminates the application process and potentially affects system availability. The vulnerability is particularly dangerous in web applications or services that accept user input for file operations, as it allows for remote exploitation through crafted path parameters. The attack vector is straightforward and requires minimal sophistication to execute, making it a significant threat to applications that do not properly validate or sanitize input paths before passing them to Glob functions. Security practitioners must recognize that this vulnerability can be leveraged in various contexts including web applications, command line tools, and any system that processes file paths through Go's io/fs package. The stack exhaustion occurs during the internal recursive traversal of directory structures, where each level of path separation triggers another recursive call without proper termination conditions or depth monitoring.
Mitigation strategies for CVE-2022-30630 require immediate patching of affected Go versions to the recommended secure releases or upgrading to newer stable versions that contain the necessary recursion depth controls. Organizations should implement input validation measures to sanitize file path inputs before processing them through Glob functions, particularly when dealing with untrusted user data. The recommended approach involves establishing maximum path depth limits and implementing proper recursion guards within application code that interacts with file system operations. Additionally, system administrators should consider implementing monitoring for abnormal stack usage patterns and panic conditions that may indicate exploitation attempts. Security controls should include restricting the use of Glob functions with user-provided input and implementing alternative path validation mechanisms that do not rely on recursive processing. The vulnerability aligns with CWE-674 principle of uncontrolled recursion and can be categorized under ATT&CK technique T1499.004 for network denial of service attacks. Organizations should also conduct comprehensive code reviews to identify all instances where Glob functions are used with potentially untrusted input, as this vulnerability can manifest in various application contexts where file path operations are performed. Regular security assessments of Go applications should include checks for proper recursion handling and stack management in file system operations, particularly in environments where applications process external file path data or user-supplied patterns.