CVE-2022-30633 in Google
Summary
by MITRE • 08/11/2022
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2022-30633 represents a critical security flaw in the Go programming language's xml package that affects versions prior to Go 1.17.12 and Go 1.18.4. This issue stems from uncontrolled recursion during XML unmarshalling operations, specifically when processing structs containing nested fields with the 'any' field tag. The vulnerability operates at the core of Go's data serialization and deserialization mechanisms, creating a potential denial of service condition that can be exploited by malicious actors. The flaw manifests when an attacker crafts a malicious XML document that, when unmarshalled into a Go struct, triggers infinite recursive calls due to improper handling of the 'any' field tag.
The technical implementation of this vulnerability exploits the recursive nature of XML processing when the 'any' field tag is present in Go struct definitions. This field tag instructs the xml package to unmarshal any child elements into the specified field, but without proper recursion depth limits, an attacker can construct XML documents where nested elements reference each other in a circular pattern. The unmarshalling process continues indefinitely until the stack space is exhausted, leading to a panic condition that crashes the application. This behavior directly aligns with CWE-674, which describes uncontrolled recursion in software systems, and represents a classic stack exhaustion attack vector. The vulnerability demonstrates how improper input validation and lack of recursion depth checking can create exploitable conditions in well-established serialization libraries.
The operational impact of CVE-2022-30633 extends beyond simple application crashes, as it can be leveraged in various attack scenarios within systems that process untrusted XML input. Applications using the affected Go versions that accept XML data from external sources, such as web services, configuration files, or user uploads, become vulnerable to denial of service attacks that can disrupt service availability. The vulnerability is particularly concerning in environments where Go applications serve as intermediaries or processing nodes, as attackers could potentially cause cascading failures across interconnected systems. From an attacker's perspective, this vulnerability maps to ATT&CK technique T1499.004, which covers network denial of service attacks, and represents a significant threat to system availability and reliability. The exploitability is relatively straightforward, requiring only the construction of a specific XML payload that triggers the recursive behavior.
Mitigation strategies for CVE-2022-30633 primarily focus on upgrading to patched versions of Go where the recursion limits have been implemented. Organizations should prioritize updating their Go runtime environments to versions 1.17.12 or 1.18.4 and later, as these releases contain the necessary safeguards against uncontrolled recursion. Additionally, implementing input validation measures such as XML schema validation and size limitations can provide defensive layers against malformed input. Security teams should also consider implementing application-level monitoring to detect unusual stack usage patterns that might indicate exploitation attempts. The vulnerability highlights the importance of proper recursion handling in serialization libraries and reinforces the need for comprehensive security testing of data processing components. Organizations should conduct thorough vulnerability assessments of their Go applications to identify any code patterns that might be susceptible to similar recursion issues in other parts of their systems.