CVE-2022-30631 Overview
CVE-2022-30631 is a denial of service vulnerability affecting the Go programming language's compress/gzip package. The vulnerability stems from uncontrolled recursion in the Reader.Read function, which allows an attacker to cause a panic due to stack exhaustion. This can be triggered by processing a specially crafted archive containing a large number of concatenated 0-length compressed files.
Critical Impact
Applications using Go's gzip decompression functionality can be crashed remotely through stack exhaustion, causing service disruption for any Go-based service processing untrusted gzip archives.
Affected Products
- Golang Go versions prior to 1.17.12
- Golang Go versions 1.18.x prior to 1.18.4
Discovery Timeline
- 2022-08-10 - CVE-2022-30631 published to NVD
- 2025-10-20 - Last updated in NVD database
Technical Details for CVE-2022-30631
Vulnerability Analysis
The vulnerability exists in Go's standard library compress/gzip package, specifically within the Reader.Read function. When processing gzip archives, the function handles concatenated gzip members recursively. An attacker can exploit this behavior by crafting a malicious archive containing numerous concatenated 0-length compressed files. Each empty compressed member triggers recursive processing, and with a sufficient number of these members, the recursion depth exceeds the available stack space, causing a stack overflow and subsequent panic.
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), which describes scenarios where software does not properly control the amount of recursion that takes place, consuming excessive resources such as allocated memory or the program stack.
Root Cause
The root cause lies in the gzip reader's handling of concatenated compressed streams. The gzip format specification allows multiple compressed members to be concatenated together, and Go's implementation recursively processes each member. However, the implementation lacked proper bounds checking on the recursion depth. When an archive contains a large number of empty (0-length) compressed members concatenated together, each member causes another level of recursion without consuming much of the input data, allowing an attacker to exhaust the stack with a relatively small malicious file.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a gzip archive with thousands of concatenated 0-length compressed members
- Sending this malicious archive to any Go application that processes gzip data from untrusted sources
- When the application attempts to decompress the archive using compress/gzip.Reader.Read, the recursive processing causes stack exhaustion
- The application panics and crashes, resulting in denial of service
Common attack surfaces include web applications accepting gzip-compressed uploads, API endpoints processing compressed payloads, and any service that decompresses gzip data from external sources.
Detection Methods for CVE-2022-30631
Indicators of Compromise
- Unusual application crashes or panics in Go services with stack overflow errors
- Error logs showing panic messages related to compress/gzip or Reader.Read functions
- Gzip files with anomalously high member counts but small overall file sizes
- Repeated service restarts coinciding with receipt of gzip-compressed data
Detection Strategies
- Monitor Go application logs for panic events referencing stack exhaustion or compress/gzip
- Implement runtime monitoring to detect abnormal memory and stack usage patterns during decompression operations
- Use static analysis tools to identify code paths that process untrusted gzip data with vulnerable Go versions
- Deploy application performance monitoring to alert on unexpected crash patterns in services handling compressed data
Monitoring Recommendations
- Configure centralized logging to aggregate panic events across all Go-based services
- Set up alerting thresholds for service restart frequency to detect potential DoS attacks
- Monitor network traffic for suspicious patterns of gzip file submissions
- Track Go runtime version across deployments to ensure vulnerable versions are identified
How to Mitigate CVE-2022-30631
Immediate Actions Required
- Upgrade Go to version 1.17.12 or later for the 1.17.x branch
- Upgrade Go to version 1.18.4 or later for the 1.18.x branch
- Rebuild and redeploy all applications compiled with affected Go versions
- Implement input validation to reject suspiciously structured gzip files before processing
Patch Information
The Go team has released patches addressing this vulnerability. The fix modifies the gzip reader to handle concatenated members iteratively rather than recursively, preventing stack exhaustion attacks. Detailed information about the fix is available through the following resources:
- Go.dev Code Change Log #417067 - The specific code change implementing the fix
- Go Source Code Commit - The commit containing the patch
- Go.dev Vulnerability Report GO-2022-0524 - Official vulnerability report
Organizations should prioritize upgrading the Go compiler and rebuilding affected applications. The Golang Announcement Group Post contains additional details about the security release.
Workarounds
- Implement size and structure validation on gzip files before processing with the standard library
- Use resource limits (ulimit) to constrain stack size impacts on critical services
- Deploy applications behind a reverse proxy that can filter or validate compressed content
- Consider using alternative gzip libraries with explicit recursion limits until patching is complete
# Configuration example - Verify Go version and update
# Check current Go version
go version
# Update Go to patched version (example for Linux)
# Download Go 1.18.4 or later from https://go.dev/dl/
wget https://go.dev/dl/go1.18.4.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.18.4.linux-amd64.tar.gz
# Rebuild affected applications
go build -o myapp ./cmd/myapp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
