Go Parse Function Stack Exhaustion via Deeply Nested Literals
CVE-2024-34155 Published on September 6, 2024
Stack exhaustion in all Parse functions in go/parser
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
Vulnerability Analysis
CVE-2024-34155 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Products Associated with CVE-2024-34155
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or GoLang Go. Just hit a watch button to start following.
Affected Versions
Go standard library go/parser:- Before 1.22.7 is affected.
- Version 1.23.0-0 and below 1.23.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.