Vulnerability in golang.org/x/text/language package has been fixed

Recently Adam Korczynski of ADA Logics, discovered a vulnerability in Go language text/language package, which could cause a denial of service attack.

What is the issue?

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design.

Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers.

Further, an attacker can create a large Accept-Language header, which the ParseAcceptLanguage function will take too much time to parse.

How the issue is fixed?

This issue tracked by CVE-2022-32149 and #56152

The version v0.3.8 of golang.org/x/text fixes this vulnerability in the golang.org/x/text/language package

Here is the complete details regarding the fix.

Fix in ParseAcceptLanguage


var errTagListTooLarge = errors.New("tag list exceeds max length")


func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
	defer func() {
		if recover() != nil {
			tag = nil
			q = nil
			err = language.ErrSyntax
		}
	}()

    // return error If the string length is high
	if strings.Count(s, "-") > 1000 {
		return nil, nil, errTagListTooLarge
	}

With the above fix ParseAcceptLanguage function reject excessively large Accept-Language strings.

Official announcement

Here is the Official announcement regarding this fix in golang.org/x/text/language package

Official announcement

Edit this page on GitHub
← Go 1.19.3 and Go 1.18.8 versions are released
Go 1.19.2 and Go 1.18.7 versions are released →