CVE-2019-11939: Allocation of Resources Without Limits or Throttling

May 24, 2022 (updated September 29, 2023)

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00.

References

github.com/advisories/GHSA-w3r9-r9w7-8h48
github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
nvd.nist.gov/vuln/detail/CVE-2019-11939
pkg.go.dev/vuln/GO-2021-0082
www.facebook.com/security/advisories/cve-2019-11939

Code Behaviors & Features

Detect and mitigate CVE-2019-11939 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →