CVE-2022-32149 Overview
CVE-2022-32149 is a denial of service vulnerability in the Golang text package that allows attackers to exploit the ParseAcceptLanguage function. By crafting a malicious Accept-Language HTTP header, an attacker can cause the parser to consume excessive processing time, leading to service degradation or complete denial of service for applications that rely on this package for language negotiation.
Critical Impact
Applications using the Golang text package's ParseAcceptLanguage function are vulnerable to resource exhaustion attacks through specially crafted HTTP headers, potentially causing service unavailability.
Affected Products
- Golang Text package (vulnerable versions prior to security patch)
- Applications utilizing golang.org/x/text/language for Accept-Language parsing
- Web services implementing HTTP language negotiation with the affected library
Discovery Timeline
- 2022-10-14 - CVE-2022-32149 published to NVD
- 2025-05-15 - Last updated in NVD database
Technical Details for CVE-2022-32149
Vulnerability Analysis
This vulnerability is classified under CWE-772 (Missing Release of Resource after Effective Lifetime), indicating that the parsing function fails to properly manage computational resources when processing malformed input. The ParseAcceptLanguage function in the Golang text package does not adequately validate or limit the complexity of incoming Accept-Language header values before processing them.
When a web application receives HTTP requests with Accept-Language headers, it typically uses the ParseAcceptLanguage function to determine the client's preferred languages. The vulnerability allows an attacker to construct header values that trigger excessive parsing operations, consuming CPU cycles disproportionate to the input size.
Root Cause
The root cause lies in insufficient input validation and algorithmic complexity within the ParseAcceptLanguage function. The parser does not implement proper bounds checking or early termination when encountering pathologically crafted input strings. This allows attackers to submit header values that cause the parser to enter computationally expensive code paths, resulting in an algorithmic complexity attack.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests with specially crafted Accept-Language headers to any web service that processes these headers using the vulnerable Golang text package.
The attack methodology involves:
- Identifying target applications that use the Golang text package for language parsing
- Crafting malicious Accept-Language header values designed to maximize parsing time
- Sending multiple requests with these crafted headers to exhaust server resources
- Sustained attacks can lead to service degradation or complete denial of service
For detailed technical information about the vulnerability mechanism, see the Go.dev Issue Tracker Entry and the official Go.dev Vulnerability Report GO-2022-1059.
Detection Methods for CVE-2022-32149
Indicators of Compromise
- Unusually long or complex Accept-Language HTTP headers in web server logs
- Elevated CPU utilization in application processes handling HTTP requests
- Increased response latency correlating with language parsing operations
- Application timeouts or service degradation during header processing
Detection Strategies
- Monitor HTTP request logs for abnormally large or repetitive Accept-Language header values
- Implement application performance monitoring (APM) to detect CPU spikes during request handling
- Deploy web application firewall (WAF) rules to flag requests with excessively complex Accept-Language headers
- Use dependency scanning tools to identify applications using vulnerable versions of golang.org/x/text
Monitoring Recommendations
- Configure alerting thresholds for CPU utilization spikes in web-facing services
- Implement request rate limiting on endpoints that process language headers
- Enable detailed logging for HTTP header parsing operations during incident response
- Regularly audit dependencies using govulncheck or similar Go vulnerability scanners
How to Mitigate CVE-2022-32149
Immediate Actions Required
- Update the Golang text package to a patched version immediately
- Review all applications using golang.org/x/text/language for ParseAcceptLanguage usage
- Implement input validation on Accept-Language headers at the web server or load balancer level
- Consider implementing request timeouts for header parsing operations
Patch Information
The Go team has released a fix for this vulnerability. The patch is available at the Go.dev Change Log Entry. Organizations should update their dependencies to incorporate this security fix. Additional vendor guidance is available in the NetApp Security Advisory ntap-20230203-0006 for affected NetApp products.
To update the affected package, run:
go get -u golang.org/x/text
Workarounds
- Implement header length limits at the reverse proxy or load balancer level before requests reach the application
- Add middleware to validate and sanitize Accept-Language headers before passing them to the parser
- Configure request timeouts to prevent long-running parsing operations from consuming resources
- Consider implementing a fixed language preference rather than dynamic parsing for critical services
# Example nginx configuration to limit header size
# Add to http or server block
large_client_header_buffers 4 8k;
# Alternatively, use a location block to reject oversized Accept-Language headers
# This helps mitigate DoS attacks targeting header parsing
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
