{"api_version":"1","generated_at":"2026-04-23T06:19:53+00:00","cve":"CVE-2023-24536","urls":{"html":"https://cve.report/CVE-2023-24536","api":"https://cve.report/api/cve/CVE-2023-24536.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-24536","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-24536"},"summary":{"title":"CVE-2023-24536","description":"Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-04-06 16:15:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://go.dev/cl/482076","name":"https://go.dev/cl/482076","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230526-0007/","name":"https://security.netapp.com/advisory/ntap-20230526-0007/","refsource":"MISC","tags":[],"title":"April 2023 Golang Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/482077","name":"https://go.dev/cl/482077","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8","name":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8","refsource":"MISC","tags":[],"title":"[security] Go 1.20.3 and Go 1.19.8 are released","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://go.dev/cl/482075","name":"https://go.dev/cl/482075","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2023-1705","name":"https://pkg.go.dev/vuln/GO-2023-1705","refsource":"MISC","tags":[],"title":"GO-2023-1705 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/59153","name":"https://go.dev/issue/59153","refsource":"MISC","tags":[],"title":"net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) · Issue #59153 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-24536","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24536","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"24536","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-24536","qid":"161061","title":"Oracle Enterprise Linux Security Update for skopeo (ELSA-2023-6363)"},{"cve":"CVE-2023-24536","qid":"161062","title":"Oracle Enterprise Linux Security Update for containernetworking-plugins (ELSA-2023-6402)"},{"cve":"CVE-2023-24536","qid":"161063","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2023-6474)"},{"cve":"CVE-2023-24536","qid":"161105","title":"Oracle Enterprise Linux Security Update for buildah (ELSA-2023-6473)"},{"cve":"CVE-2023-24536","qid":"161175","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2023-6939)"},{"cve":"CVE-2023-24536","qid":"161187","title":"Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2023-6938)"},{"cve":"CVE-2023-24536","qid":"241582","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2023:3445)"},{"cve":"CVE-2023-24536","qid":"241715","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3540)"},{"cve":"CVE-2023-24536","qid":"241745","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3612)"},{"cve":"CVE-2023-24536","qid":"241856","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:4093)"},{"cve":"CVE-2023-24536","qid":"242287","title":"Red Hat Update for buildah (RHSA-2023:6473)"},{"cve":"CVE-2023-24536","qid":"242288","title":"Red Hat Update for toolbox (RHSA-2023:6346)"},{"cve":"CVE-2023-24536","qid":"242299","title":"Red Hat Update for containernetworking-plugins (RHSA-2023:6402)"},{"cve":"CVE-2023-24536","qid":"242319","title":"Red Hat Update for skopeo (RHSA-2023:6363)"},{"cve":"CVE-2023-24536","qid":"242335","title":"Red Hat Update for podman security (RHSA-2023:6474)"},{"cve":"CVE-2023-24536","qid":"242365","title":"Red Hat Update for OpenStack Platform 16.2.5 (RHSA-2023:5964)"},{"cve":"CVE-2023-24536","qid":"242415","title":"Red Hat Update for container-tools:rhel8 (RHSA-2023:6939)"},{"cve":"CVE-2023-24536","qid":"242458","title":"Red Hat Update for container-tools:4.0 (RHSA-2023:6938)"},{"cve":"CVE-2023-24536","qid":"354890","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2015"},{"cve":"CVE-2023-24536","qid":"354901","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1731"},{"cve":"CVE-2023-24536","qid":"355216","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-175"},{"cve":"CVE-2023-24536","qid":"355697","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2163"},{"cve":"CVE-2023-24536","qid":"355797","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-026"},{"cve":"CVE-2023-24536","qid":"355837","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-029"},{"cve":"CVE-2023-24536","qid":"356180","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-001"},{"cve":"CVE-2023-24536","qid":"356503","title":"Amazon Linux Security Advisory for golang : ALAS2GOLANG1.19-2023-001"},{"cve":"CVE-2023-24536","qid":"379641","title":"Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2024:0050)"},{"cve":"CVE-2023-24536","qid":"502863","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24536","qid":"503188","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24536","qid":"506081","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24536","qid":"673210","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2382)"},{"cve":"CVE-2023-24536","qid":"673238","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2356)"},{"cve":"CVE-2023-24536","qid":"673548","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2644)"},{"cve":"CVE-2023-24536","qid":"673694","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2686)"},{"cve":"CVE-2023-24536","qid":"691117","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (348ee234-d541-11ed-ad86-a134a566f1e6)"},{"cve":"CVE-2023-24536","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-24536","qid":"753895","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:1792-1)"},{"cve":"CVE-2023-24536","qid":"753976","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:2127-1)"},{"cve":"CVE-2023-24536","qid":"753977","title":"SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:2105-2)"},{"cve":"CVE-2023-24536","qid":"770195","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3612)"},{"cve":"CVE-2023-24536","qid":"770200","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:4093)"},{"cve":"CVE-2023-24536","qid":"907884","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for msft-golang (26028-1)"},{"cve":"CVE-2023-24536","qid":"908056","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (37431-1)"},{"cve":"CVE-2023-24536","qid":"941383","title":"AlmaLinux Security Update for containernetworking-plugins (ALSA-2023:6402)"},{"cve":"CVE-2023-24536","qid":"941386","title":"AlmaLinux Security Update for buildah (ALSA-2023:6473)"},{"cve":"CVE-2023-24536","qid":"941391","title":"AlmaLinux Security Update for toolbox (ALSA-2023:6346)"},{"cve":"CVE-2023-24536","qid":"941399","title":"AlmaLinux Security Update for podman (ALSA-2023:6474)"},{"cve":"CVE-2023-24536","qid":"941405","title":"AlmaLinux Security Update for skopeo (ALSA-2023:6363)"},{"cve":"CVE-2023-24536","qid":"941444","title":"AlmaLinux Security Update for container-tools:4.0 (ALSA-2023:6938)"},{"cve":"CVE-2023-24536","qid":"941481","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2023:6939)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-24536","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400: Uncontrolled Resource Consumption"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"mime/multipart","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.8"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.3"}]}},{"product_name":"net/textproto","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.8"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.3"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/59153","refsource":"MISC","name":"https://go.dev/issue/59153"},{"url":"https://go.dev/cl/482076","refsource":"MISC","name":"https://go.dev/cl/482076"},{"url":"https://go.dev/cl/482075","refsource":"MISC","name":"https://go.dev/cl/482075"},{"url":"https://go.dev/cl/482077","refsource":"MISC","name":"https://go.dev/cl/482077"},{"url":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"},{"url":"https://pkg.go.dev/vuln/GO-2023-1705","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1705"},{"url":"https://security.netapp.com/advisory/ntap-20230526-0007/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230526-0007/"}]},"credits":[{"lang":"en","value":"Jakob Ackermann (@das7pad)"}]},"nvd":{"publishedDate":"2023-04-06 16:15:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}