{"schema_version":"1.3.1","id":"GO-2024-3106","modified":"2024-09-06T19:15:23Z","published":"2024-09-06T19:15:23Z","aliases":["CVE-2024-34156"],"related":["CVE-2022-30635"],"summary":"Stack exhaustion in Decoder.Decode in encoding/gob","details":"Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.22.7"},{"introduced":"1.23.0-0"},{"fixed":"1.23.1"}]}],"ecosystem_specific":{"imports":[{"path":"encoding/gob","symbols":["Decoder.Decode","Decoder.DecodeValue","Decoder.decIgnoreOpFor"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/611239"},{"type":"REPORT","url":"https://go.dev/issue/69139"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"}],"credits":[{"name":"Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-3106","review_status":"REVIEWED"}}