CVE-2024-45338: Non-linear parsing of case-insensitive content in golang.org/x/net/html

Q: What is the severity of CVE-2024-45338?

CVE-2024-45338 is classified as a denial-of-service vulnerability due to its potential for causing extremely slow parsing.

Q: How do I fix CVE-2024-45338?

To mitigate CVE-2024-45338, upgrade the golang.org/x/net package to version 0.33.0 or later.

Q: What software is affected by CVE-2024-45338?

CVE-2024-45338 affects golang.org/x/net version 0.33.0 and earlier, as well as specific versions of the debian package golang-golang-x-net.

Q: What impact does CVE-2024-45338 have on applications?

CVE-2024-45338 can lead to denial-of-service conditions, impacting the responsiveness and availability of applications using the affected parsing functions.

Q: Who is responsible for patching CVE-2024-45338?

Maintainers of the affected software packages are responsible for releasing patches to address CVE-2024-45338.

Published Dec 18, 2024

Updated

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Affected Software

3 affected componentsFixes available

debian/golang-golang-x-net<=1:0.0+git20210119.5f4716e+dfsg-4, <=1:0.7.0+dfsg-1, <=1:0.27.0-1

go/golang.org/x/net/html<0.33.0

0.33.0

IBM Concert Software<=1.0.0-2.1.0

Event History

Dec 18, 2024

CVE Published

via MITRE·08:38 PM

Data Sourced

via MITRE·08:38 PM

DescriptionWeakness

Data Sourced

via Red Hat·09:01 PM

DescriptionSeverityAffected Software

Data Sourced

via NVD·09:15 PM

DescriptionSeverityWeakness

Advisory Published

via GitHub·09:59 PM

Jan 13, 2025

Data Sourced

via Ubuntu·06:41 PM

RemedyDescriptionSeverityAffected Software

Jan 21, 2026

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-7257565

Frequently Asked Questions

What is the severity of CVE-2024-45338?

CVE-2024-45338 is classified as a denial-of-service vulnerability due to its potential for causing extremely slow parsing.

How do I fix CVE-2024-45338?

To mitigate CVE-2024-45338, upgrade the golang.org/x/net package to version 0.33.0 or later.

What software is affected by CVE-2024-45338?

CVE-2024-45338 affects golang.org/x/net version 0.33.0 and earlier, as well as specific versions of the debian package golang-golang-x-net.

What impact does CVE-2024-45338 have on applications?

CVE-2024-45338 can lead to denial-of-service conditions, impacting the responsiveness and availability of applications using the affected parsing functions.

Who is responsible for patching CVE-2024-45338?

Maintainers of the affected software packages are responsible for releasing patches to address CVE-2024-45338.

CVE-2024-45338: Non-linear parsing of case-insensitive content in golang.org/x/net/html

Affected Software

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2024-45338?

How do I fix CVE-2024-45338?

What software is affected by CVE-2024-45338?

What impact does CVE-2024-45338 have on applications?

Who is responsible for patching CVE-2024-45338?

Company

Resources

Contact