CVE-2023-45290 in net-textproto
Summary
by MITRE • 03/06/2024
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/15/2026
This vulnerability represents a critical memory exhaustion issue in Go's HTTP request parsing functionality that affects applications processing multipart form data. The flaw exists in how the Go runtime handles form line parsing during multipart form processing, specifically when using functions like ParseMultipartForm, FormValue, PostFormValue, or FormFile. The vulnerability stems from insufficient bounds checking on individual form lines during the parsing process, allowing attackers to craft malicious inputs with extremely long lines that bypass normal size limitations. This creates a scenario where memory allocation can grow without proper constraints, potentially leading to system instability or denial of service conditions.
The technical implementation of this vulnerability resides in the HTTP request parsing logic within Go's standard library, specifically within the multipart form handling code that processes form data submitted via HTTP POST requests. When a multipart form is parsed, the system reads individual lines from the form data stream and allocates memory to store these lines. The flaw occurs because while there are limits imposed on the total form size, there are no corresponding limits on the maximum length of individual lines within that form. This creates a memory allocation bypass where a single malicious line can cause the system to allocate arbitrarily large amounts of memory, potentially exhausting available system resources.
From an operational perspective, this vulnerability poses significant risks to web applications that process user-uploaded form data, particularly those handling file uploads or complex form submissions. Attackers can exploit this by crafting multipart forms containing extremely long lines, which when processed by the vulnerable Go applications will trigger excessive memory consumption. The impact extends beyond simple resource exhaustion to potentially affect application availability and system stability, as the memory allocation can occur rapidly and consume all available memory on the server. This vulnerability is particularly concerning in environments where multiple concurrent users submit forms, as the cumulative effect can quickly overwhelm system resources.
The fix implemented addresses this issue by introducing proper bounds checking on individual form lines during the parsing process. The solution ensures that ParseMultipartForm function now correctly applies limits to the maximum size of form lines, preventing the allocation of arbitrarily large amounts of memory. This mitigation aligns with security best practices for input validation and resource management, preventing the type of memory exhaustion attacks that could be leveraged to disrupt service availability. The fix also aligns with industry standards such as CWE-1321 which addresses memory allocation issues in parsing operations and supports ATT&CK techniques related to resource exhaustion attacks.
This vulnerability demonstrates the importance of comprehensive input validation and the need for proper bounds checking in parsing operations. The flaw highlights how seemingly minor oversights in memory management can create significant security risks, particularly in applications handling user-provided data. Organizations using Go applications should prioritize updating their runtime environments to address this vulnerability, as the impact can be severe without proper mitigation. The issue also underscores the importance of regular security assessments of standard library functions and the need for robust testing of parsing logic under various input conditions to prevent similar vulnerabilities from emerging in the future.