Skip to content

Improper Input Validation and Excessive Iteration in Go Facebook Thrift

High severity GitHub Reviewed Published Feb 15, 2022 to the GitHub Advisory Database • Updated Aug 29, 2023

Package

gomod github.com/facebook/fbthrift (Go)

Affected versions

< 0.31.1-0.20190225164308-c461c1bd1a3e

Patched versions

0.31.1-0.20190225164308-c461c1bd1a3e

Description

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.

References

Published by the National Vulnerability Database May 6, 2019
Reviewed May 17, 2021
Published to the GitHub Advisory Database Feb 15, 2022
Last updated Aug 29, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2019-3564

GHSA ID

GHSA-x4rg-4545-4w7w

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.