CVE-2022-30635 in Google
Summary
by MITRE • 08/11/2022
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2022-30635 represents a critical uncontrolled recursion flaw within the Go programming language's gob encoding package. This issue affects versions prior to Go 1.17.12 and Go 1.18.4, where the Decoder.Decode function fails to properly handle deeply nested data structures during message processing. The gob package is a binary encoding format used for serializing and deserializing Go values, commonly employed in network communications and data storage scenarios. When an attacker crafts a malicious message containing excessively nested structures, the decoder enters an infinite recursive loop that consumes system stack resources until exhaustion occurs.
The technical nature of this vulnerability stems from inadequate recursion depth checking within the gob decoder implementation. The flaw manifests when the decoder encounters serialized data with deeply nested maps, slices, or struct fields that create recursive data structures exceeding safe stack limits. This behavior directly maps to CWE-674, which describes "Uncontrolled Recursion" in software systems. The vulnerability operates at the application level within the Go runtime environment, specifically targeting the binary gob encoding/decoding mechanism that is part of the standard library. Attackers can exploit this by sending specially crafted payloads that appear legitimate but contain excessive nesting levels, causing the target application to panic and potentially crash.
The operational impact of CVE-2022-30635 extends beyond simple application crashes to encompass broader system stability and availability concerns. When exploited, the vulnerability can lead to denial of service conditions where legitimate users cannot access services due to stack exhaustion. Applications using gob for communication, including microservices architectures, distributed systems, and any Go-based network services, become vulnerable to this attack vector. The vulnerability is particularly concerning in environments where applications process untrusted data from external sources, such as API endpoints, message queues, or file uploads. From an adversary perspective, this represents a low-effort, high-impact attack that requires minimal technical expertise to execute while potentially causing significant disruption.
Mitigation strategies for CVE-2022-30635 primarily focus on upgrading affected Go versions to 1.17.12 or 1.18.4, which contain the necessary patches addressing the recursion depth limitations. Organizations should implement comprehensive patch management procedures to ensure all affected systems receive updates promptly. Additional defensive measures include implementing input validation and sanitization for any data processed through gob decoders, setting explicit recursion limits in application code, and monitoring for unusual stack consumption patterns. Network-level protections such as rate limiting and payload size restrictions can provide additional layers of defense. The vulnerability aligns with ATT&CK technique T1499.004, which covers "Uncontrolled Recursion" as a method of achieving denial of service. Organizations should also consider implementing runtime monitoring to detect potential exploitation attempts and establish incident response procedures for handling such security events.