CVE-2022-30630 Overview
CVE-2022-30630 is an uncontrolled recursion vulnerability in the Glob function within the io/fs package of the Go programming language. This vulnerability allows an attacker to cause a panic due to stack exhaustion by providing a path containing a large number of path separators. The flaw affects Go versions prior to 1.17.12 and 1.18.4, potentially enabling denial of service attacks against applications that process user-controlled file path patterns.
Critical Impact
Applications using the affected io/fs.Glob function can be crashed through stack exhaustion, causing service disruption when processing maliciously crafted paths with excessive separators.
Affected Products
- Golang Go versions prior to 1.17.12
- Golang Go versions 1.18.x prior to 1.18.4
Discovery Timeline
- 2022-08-10 - CVE-2022-30630 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-30630
Vulnerability Analysis
The vulnerability (CWE-674: Uncontrolled Recursion) resides in the Glob function of Go's io/fs package. When processing file path patterns, the function recursively traverses path components without adequate depth limiting or stack boundary checking. An attacker can exploit this behavior by supplying a specially crafted path string containing an excessive number of path separators, triggering deep recursion that exhausts the call stack and causes the Go runtime to panic.
This denial of service vulnerability is particularly concerning for web applications, file processing services, or any Go application that accepts user-controlled input for file path pattern matching operations. The attack requires no authentication or special privileges, making it accessible to remote attackers over the network.
Root Cause
The root cause is the absence of recursion depth limits in the io/fs.Glob function's path traversal logic. The function processes each path separator by making recursive calls, and when presented with a path containing an abnormally large number of separators, the recursion depth exceeds the available stack space. Go's runtime detects the stack exhaustion and triggers a panic, terminating the goroutine or potentially the entire application depending on recovery handling.
Attack Vector
The attack vector involves sending a maliciously crafted path string to any application endpoint that ultimately passes user input to the io/fs.Glob function. The attacker constructs a path with thousands of consecutive path separators (e.g., /////... on Unix or \\\\\... on Windows), causing the vulnerable function to recurse deeply for each separator. Since the attack is network-accessible and requires no user interaction or privileges, it presents a significant risk for internet-facing Go applications.
The exploitation is straightforward: identify an application that uses Glob with user-controllable input, then send a request containing a path with excessive separators. The application will panic and crash, achieving denial of service.
Detection Methods for CVE-2022-30630
Indicators of Compromise
- Application crashes or panics with stack overflow errors in Go runtime logs
- Unusual patterns of requests containing paths with excessive path separator characters
- Repeated service restarts or failures in Go-based applications handling file patterns
- Log entries showing panic recovery attempts in io/fs or path/filepath packages
Detection Strategies
- Monitor Go application logs for panic messages related to stack exhaustion or runtime stack overflow
- Implement input validation to detect and reject paths containing abnormally high numbers of path separators
- Use application performance monitoring to detect sudden crashes or goroutine terminations
- Deploy web application firewalls with rules to identify and block requests containing malformed paths
Monitoring Recommendations
- Enable detailed logging for all file system operations involving glob patterns
- Set up alerts for Go runtime panic events in production environments
- Monitor for repeated crash-restart cycles in containerized Go applications
- Implement rate limiting on endpoints that accept file path parameters
How to Mitigate CVE-2022-30630
Immediate Actions Required
- Upgrade Go to version 1.17.12 or later for the 1.17.x branch
- Upgrade Go to version 1.18.4 or later for the 1.18.x branch
- Rebuild all Go applications with the patched Go version
- Review application code for usage of io/fs.Glob with user-controlled input
Patch Information
The Go team has released patches addressing this vulnerability in Go versions 1.17.12 and 1.18.4. The fix is documented in Go.dev CL #417065 and tracked in Go.dev Issue #53415. The specific code change can be reviewed in the Go Source Code Change. Additional details are available in the Golang Announcement and the Go.dev Vulnerability GO-2022-0527 advisory.
Workarounds
- Implement input sanitization to limit the number of consecutive path separators in user-supplied paths
- Add application-level validation to reject paths exceeding a reasonable length or separator count
- Use recover() handlers around Glob calls to prevent application-wide crashes
- Consider using alternative file matching libraries with built-in recursion limits until patching is possible
# Check current Go version
go version
# Update Go to patched version (example for Go 1.18.x)
go install golang.org/dl/go1.18.4@latest
go1.18.4 download
# Rebuild applications with patched Go version
go build -o myapp ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
