Vulnerability in package has been fixed

Recently Adam Korczynski of ADA Logics, discovered a vulnerability in Go language text/language package, which could cause a denial of service attack.

What is the issue?

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design.

Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers.

Further, an attacker can create a large Accept-Language header, which the ParseAcceptLanguage function will take too much time to parse.

How the issue is fixed?

This issue tracked by CVE-2022-32149 and #56152

The version v0.3.8 of fixes this vulnerability in the package

Here is the complete details regarding the fix.

Fix in ParseAcceptLanguage

var errTagListTooLarge = errors.New("tag list exceeds max length")

func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
	defer func() {
		if recover() != nil {
			tag = nil
			q = nil
			err = language.ErrSyntax

    // return error If the string length is high
	if strings.Count(s, "-") > 1000 {
		return nil, nil, errTagListTooLarge

With the above fix ParseAcceptLanguage function reject excessively large Accept-Language strings.

Official announcement

Here is the Official announcement regarding this fix in package

Official announcement