Closed WGH- closed 1 year ago
Just FYI, this test case was found with the new Go 1.18 fuzzer (*testing.F
).
This was assigned CVE-2022-37315.
@alex-lange @chris-ramon Would you mind taking a look when you have a chance?
If needed, let me know where I can help. Looks like the above PR may be the needed fix. (Due to the assigned CVE, my team is getting alerts to patch.)
@chris-ramon @sogko Are any maintainers available to take a look at this? This CVE is now 2 months old.
We can't afford to continue using dependencies with active CVEs. I'd much prefer to avoid dropping this dependency. If there's anything the community can do to help, please shout.
I apologize for dropping zero-day DoS without consideration...
nancy
fails on this vulnerability now. Any chance to merge the fix?
Simple input
String r
crashes the parser with infinite recursion.