GHSA-29QP-CRVH-W22M
Vulnerability from github – Published: 2025-01-29 19:19 – Updated: 2025-02-06 17:31Withdrawn Advisory
This advisory has been withdrawn because further research determined that github.com/hashicorp/yamux was not vulnerable to denial of service in the manner described. This link is maintained to preserve external references.
Original Description
The default values for Session.config.KeepAliveInterval and Session.config.ConnectionWriteTimeout of 30s and 10s create the possibility for timed out writes that most aren't handling in their readers.
Calls to Stream.Read on one side of a connection will hang until the underlying Session is closed if the corresponding Stream.Write call on the other side it's waiting for returns with ErrConnectionWriteTimeout. This happens in the case of network congestion between the two sides.
If you keep Session.sendCh full (fixed capacity of 64) for ConnectionWriteTimeout, but for less than the KeepAliveInterval + ConnectionWriteTimeout (which would kill the Session), Stream.Write will return ErrConnectionWriteTimeout. The state of the underlying Session or Stream is not modified. When this happens, the other side's Stream.Read call that's waiting for that write will never return because there's no timeout for this edge-case.
Since no keep alive timed out, you can continue to use the Session once the network congestion is resolved, but that Stream.Read call will only return when the Session closes or the response shows up. Since the write call on the other side timed out the call to Stream.Read will never return.
Any conditions that cause network writes to stall for 10-30 seconds can trigger this Denial of Service- extremely high CPU contention on either side of the connection, BGP reconvergence, etc. To resolve the Denial of Service issue, you have to re-establish the connections, which will usually require a hard restart of the service on either end of the connection.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/yamux"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"last_affected": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-29T19:19:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because further research determined that `github.com/hashicorp/yamux` was not vulnerable to denial of service in the manner described. This link is maintained to preserve external references.\n\n## Original Description\nThe default values for Session.config.KeepAliveInterval and Session.config.ConnectionWriteTimeout of 30s and 10s create the possibility for timed out writes that most aren\u0027t handling in their readers.\n\nCalls to Stream.Read on one side of a connection will hang until the underlying Session is closed if the corresponding Stream.Write call on the other side it\u0027s waiting for returns with ErrConnectionWriteTimeout. This happens in the case of network congestion between the two sides.\n\nIf you keep Session.sendCh full (fixed capacity of 64) for ConnectionWriteTimeout, but for less than the KeepAliveInterval + ConnectionWriteTimeout (which would kill the Session), Stream.Write will return ErrConnectionWriteTimeout. The state of the underlying Session or Stream is not modified. When this happens, the other side\u0027s Stream.Read call that\u0027s waiting for that write will never return because there\u0027s no timeout for this edge-case.\n\nSince no keep alive timed out, you can continue to use the Session once the network congestion is resolved, but that Stream.Read call will only return when the Session closes or the response shows up. Since the write call on the other side timed out the call to Stream.Read will never return.\n\nAny conditions that cause network writes to stall for 10-30 seconds can trigger this Denial of Service- extremely high CPU contention on either side of the connection, BGP reconvergence, etc. To resolve the Denial of Service issue, you have to re-establish the connections, which will usually require a hard restart of the service on either end of the connection.",
"id": "GHSA-29qp-crvh-w22m",
"modified": "2025-02-06T17:31:23Z",
"published": "2025-01-29T19:19:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/golang/vulndb/issues/3408"
},
{
"type": "WEB",
"url": "https://github.com/golang/vulndb/issues/3453"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/yamux/issues/142"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/yamux/pull/143"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/yamux"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn Advisory: github.com/hashicorp/yamux\u0027s DefaultConfig has dangerous defaults causing hung Read",
"withdrawn": "2025-02-06T17:31:23Z"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.