{"api_version":"1","generated_at":"2026-04-22T23:09:10+00:00","cve":"CVE-2023-24534","urls":{"html":"https://cve.report/CVE-2023-24534","api":"https://cve.report/api/cve/CVE-2023-24534.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-24534","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-24534"},"summary":{"title":"CVE-2023-24534","description":"HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-04-06 16:15:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230526-0007/","name":"https://security.netapp.com/advisory/ntap-20230526-0007/","refsource":"MISC","tags":[],"title":"April 2023 Golang Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8","name":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8","refsource":"MISC","tags":[],"title":"[security] Go 1.20.3 and Go 1.19.8 are released","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pkg.go.dev/vuln/GO-2023-1704","name":"https://pkg.go.dev/vuln/GO-2023-1704","refsource":"MISC","tags":[],"title":"GO-2023-1704 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/481994","name":"https://go.dev/cl/481994","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/58975","name":"https://go.dev/issue/58975","refsource":"MISC","tags":[],"title":"net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534) · Issue #58975 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-24534","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24534","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"24534","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-24534","qid":"161061","title":"Oracle Enterprise Linux Security Update for skopeo (ELSA-2023-6363)"},{"cve":"CVE-2023-24534","qid":"161062","title":"Oracle Enterprise Linux Security Update for containernetworking-plugins (ELSA-2023-6402)"},{"cve":"CVE-2023-24534","qid":"161063","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2023-6474)"},{"cve":"CVE-2023-24534","qid":"161102","title":"Oracle Enterprise Linux Security Update for grafana security and enhancement update (ELSA-2023-6420)"},{"cve":"CVE-2023-24534","qid":"161105","title":"Oracle Enterprise Linux Security Update for buildah (ELSA-2023-6473)"},{"cve":"CVE-2023-24534","qid":"161175","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2023-6939)"},{"cve":"CVE-2023-24534","qid":"161187","title":"Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2023-6938)"},{"cve":"CVE-2023-24534","qid":"182296","title":"Debian Security Update for golang-1.19 (CVE-2023-24534)"},{"cve":"CVE-2023-24534","qid":"199304","title":"Ubuntu Security Notification for Go Vulnerabilities (USN-6038-1)"},{"cve":"CVE-2023-24534","qid":"199396","title":"Ubuntu Security Notification for Go Vulnerabilities (USN-6140-1)"},{"cve":"CVE-2023-24534","qid":"241582","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2023:3445)"},{"cve":"CVE-2023-24534","qid":"241715","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3540)"},{"cve":"CVE-2023-24534","qid":"241745","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3612)"},{"cve":"CVE-2023-24534","qid":"241856","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:4093)"},{"cve":"CVE-2023-24534","qid":"241924","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:4459)"},{"cve":"CVE-2023-24534","qid":"242287","title":"Red Hat Update for buildah (RHSA-2023:6473)"},{"cve":"CVE-2023-24534","qid":"242288","title":"Red Hat Update for toolbox (RHSA-2023:6346)"},{"cve":"CVE-2023-24534","qid":"242299","title":"Red Hat Update for containernetworking-plugins (RHSA-2023:6402)"},{"cve":"CVE-2023-24534","qid":"242309","title":"Red Hat Update for grafana (RHSA-2023:6420)"},{"cve":"CVE-2023-24534","qid":"242319","title":"Red Hat Update for skopeo (RHSA-2023:6363)"},{"cve":"CVE-2023-24534","qid":"242335","title":"Red Hat Update for podman security (RHSA-2023:6474)"},{"cve":"CVE-2023-24534","qid":"242365","title":"Red Hat Update for OpenStack Platform 16.2.5 (RHSA-2023:5964)"},{"cve":"CVE-2023-24534","qid":"242415","title":"Red Hat Update for container-tools:rhel8 (RHSA-2023:6939)"},{"cve":"CVE-2023-24534","qid":"242458","title":"Red Hat Update for container-tools:4.0 (RHSA-2023:6938)"},{"cve":"CVE-2023-24534","qid":"354890","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2015"},{"cve":"CVE-2023-24534","qid":"354901","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1731"},{"cve":"CVE-2023-24534","qid":"355089","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2037"},{"cve":"CVE-2023-24534","qid":"355216","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-175"},{"cve":"CVE-2023-24534","qid":"355797","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-026"},{"cve":"CVE-2023-24534","qid":"355837","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-029"},{"cve":"CVE-2023-24534","qid":"356180","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-001"},{"cve":"CVE-2023-24534","qid":"356503","title":"Amazon Linux Security Advisory for golang : ALAS2GOLANG1.19-2023-001"},{"cve":"CVE-2023-24534","qid":"379641","title":"Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2024:0050)"},{"cve":"CVE-2023-24534","qid":"502863","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24534","qid":"502894","title":"Alpine Linux Security Update for nomad"},{"cve":"CVE-2023-24534","qid":"503188","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24534","qid":"503204","title":"Alpine Linux Security Update for nomad"},{"cve":"CVE-2023-24534","qid":"503271","title":"Alpine Linux Security Update for traefik"},{"cve":"CVE-2023-24534","qid":"506081","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24534","qid":"506263","title":"Alpine Linux Security Update for traefik"},{"cve":"CVE-2023-24534","qid":"673181","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2334)"},{"cve":"CVE-2023-24534","qid":"673202","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2314)"},{"cve":"CVE-2023-24534","qid":"673210","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2382)"},{"cve":"CVE-2023-24534","qid":"673238","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2356)"},{"cve":"CVE-2023-24534","qid":"673548","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2644)"},{"cve":"CVE-2023-24534","qid":"673694","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2686)"},{"cve":"CVE-2023-24534","qid":"691117","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (348ee234-d541-11ed-ad86-a134a566f1e6)"},{"cve":"CVE-2023-24534","qid":"691126","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for traefik (02e51cb3-d7e4-11ed-9f7a-5404a68ad561)"},{"cve":"CVE-2023-24534","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-24534","qid":"753895","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:1792-1)"},{"cve":"CVE-2023-24534","qid":"753976","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:2127-1)"},{"cve":"CVE-2023-24534","qid":"753977","title":"SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:2105-2)"},{"cve":"CVE-2023-24534","qid":"770195","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3612)"},{"cve":"CVE-2023-24534","qid":"770200","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:4093)"},{"cve":"CVE-2023-24534","qid":"770202","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:4459)"},{"cve":"CVE-2023-24534","qid":"907515","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (25990-1)"},{"cve":"CVE-2023-24534","qid":"907873","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (25990-2)"},{"cve":"CVE-2023-24534","qid":"907885","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for msft-golang (26027-1)"},{"cve":"CVE-2023-24534","qid":"941383","title":"AlmaLinux Security Update for containernetworking-plugins (ALSA-2023:6402)"},{"cve":"CVE-2023-24534","qid":"941386","title":"AlmaLinux Security Update for buildah (ALSA-2023:6473)"},{"cve":"CVE-2023-24534","qid":"941391","title":"AlmaLinux Security Update for toolbox (ALSA-2023:6346)"},{"cve":"CVE-2023-24534","qid":"941399","title":"AlmaLinux Security Update for podman (ALSA-2023:6474)"},{"cve":"CVE-2023-24534","qid":"941404","title":"AlmaLinux Security Update for grafana (ALSA-2023:6420)"},{"cve":"CVE-2023-24534","qid":"941405","title":"AlmaLinux Security Update for skopeo (ALSA-2023:6363)"},{"cve":"CVE-2023-24534","qid":"941444","title":"AlmaLinux Security Update for container-tools:4.0 (ALSA-2023:6938)"},{"cve":"CVE-2023-24534","qid":"941481","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2023:6939)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-24534","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400: Uncontrolled Resource Consumption"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"net/textproto","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.8"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.3"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/58975","refsource":"MISC","name":"https://go.dev/issue/58975"},{"url":"https://go.dev/cl/481994","refsource":"MISC","name":"https://go.dev/cl/481994"},{"url":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"},{"url":"https://pkg.go.dev/vuln/GO-2023-1704","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1704"},{"url":"https://security.netapp.com/advisory/ntap-20230526-0007/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230526-0007/"}]},"credits":[{"lang":"en","value":"Jakob Ackermann (@das7pad)"}]},"nvd":{"publishedDate":"2023-04-06 16:15:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}