GMS-2023-737: Panic leading to denial of service

March 14, 2023

Parsing invalid messages can panic.

Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

References

github.com/advisories/GHSA-hw7c-3rfg-p46j
github.com/golang/protobuf/issues/1530
go.dev/cl/475995
pkg.go.dev/vuln/GO-2023-1631

Detect and mitigate GMS-2023-737 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →