CVE-2022-1962 Overview
CVE-2022-1962 is a denial of service vulnerability affecting the Go programming language's parser component. Uncontrolled recursion in the Parse functions within go/parser allows an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. This vulnerability affects Go versions prior to 1.17.12 and Go 1.18.4.
Critical Impact
Applications using the Go parser to process untrusted input can be crashed through stack exhaustion, leading to denial of service conditions.
Affected Products
- Golang Go versions prior to 1.17.12
- Golang Go versions 1.18.x prior to 1.18.4
Discovery Timeline
- 2022-08-10 - CVE CVE-2022-1962 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-1962
Vulnerability Analysis
This vulnerability stems from CWE-674 (Uncontrolled Recursion), a weakness where the software does not properly control the amount of recursion that occurs. When the Go parser encounters deeply nested type declarations or code structures, it processes them recursively without adequate depth limits. Each recursive call consumes stack space, and sufficiently deep nesting exhausts the available stack memory, triggering a panic condition.
The go/parser package is widely used in Go tooling, including IDEs, linters, code formatters, and build systems. Any application that parses Go source code from untrusted sources could be vulnerable to this denial of service attack.
Root Cause
The root cause lies in the recursive descent parsing implementation within the go/parser package. When parsing nested structures such as deeply nested type definitions, function declarations, or expression trees, the parser makes recursive function calls proportional to the nesting depth. Without a recursion limit, an attacker-controlled input with extreme nesting depth can exhaust the call stack, causing the Go runtime to panic.
Attack Vector
The attack requires local access to provide malicious input to an application using the vulnerable parser. An attacker would craft a specially formed Go source file containing deeply nested declarations or type definitions. When this file is processed by a vulnerable application—such as a code analysis tool, formatter, or build system—the parser enters deep recursion and exhausts stack memory.
The attack vector is local, meaning the attacker must be able to provide the malicious input to a vulnerable application on the target system. This could occur through various means such as submitting code for analysis, providing source files to a build system, or uploading Go code to a service that parses it.
Detection Methods for CVE-2022-1962
Indicators of Compromise
- Unexpected application crashes or panics in Go-based tooling when processing source files
- Stack overflow errors in logs from applications using go/parser
- Go source files with unusually deep nesting levels in the codebase
- Process termination with stack exhaustion messages
Detection Strategies
- Monitor for panic conditions in Go applications that process source code
- Implement file analysis to detect abnormally nested Go source structures before parsing
- Review application logs for stack-related errors during parsing operations
- Use static analysis to identify usage of go/parser package in codebases
Monitoring Recommendations
- Set up alerting for repeated crashes in Go-based code analysis tools
- Monitor resource utilization for applications processing untrusted Go source files
- Track error rates in CI/CD pipelines that compile or analyze Go code
- Implement health checks for services that parse Go source code
How to Mitigate CVE-2022-1962
Immediate Actions Required
- Upgrade Go to version 1.17.12 or later for the 1.17.x branch
- Upgrade Go to version 1.18.4 or later for the 1.18.x branch
- Audit applications that parse untrusted Go source code
- Consider implementing input validation to reject excessively nested source files
Patch Information
The Go team has addressed this vulnerability with patches available in Go 1.17.12 and Go 1.18.4. The fix introduces recursion depth limits in the parser to prevent stack exhaustion. Detailed information about the fix is available through the following resources:
- Go.dev Code Review
- Go.dev Issue Tracker
- Go Source Code Change
- Golang Announce Post
- Go.dev Vulnerability Advisory
Workarounds
- Limit exposure by not parsing Go source code from untrusted sources until patched
- Implement pre-parsing validation to check nesting depth of input files
- Run parsing operations in isolated environments with resource limits
- Use process sandboxing to contain potential crashes from affecting wider systems
# Verify current Go version and upgrade if vulnerable
go version
# Update Go to patched version (example using Go installer)
# For Go 1.17.x branch:
go install golang.org/dl/go1.17.12@latest
go1.17.12 download
# For Go 1.18.x branch:
go install golang.org/dl/go1.18.4@latest
go1.18.4 download
# Verify updated version
go version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
