CVE-2022-1962 Stack exhaustion due to deeply nested types in go/parser

2022-08-0920:18:18

www.cve.org

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.2%

JSON

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "go/parser",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "go/parser",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.17.12",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.18.0-0",
        "lessThan": "1.18.4",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "ParseFile"
      },
      {
        "name": "ParseExprFrom"
      },
      {
        "name": "parser.tryIdentOrType"
      },
      {
        "name": "parser.parsePrimaryExpr"
      },
      {
        "name": "parser.parseUnaryExpr"
      },
      {
        "name": "parser.parseBinaryExpr"
      },
      {
        "name": "parser.parseIfStmt"
      },
      {
        "name": "parser.parseStmt"
      },
      {
        "name": "resolver.openScope"
      },
      {
        "name": "resolver.closeScope"
      }
    ],
    "defaultStatus": "unaffected"
  }
]