CVE-2024-34155 Overview
CVE-2024-34155 is a Denial of Service (DoS) vulnerability affecting the Go programming language's parser functions. Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. This vulnerability allows attackers to craft malicious Go source code that, when parsed, triggers excessive recursion leading to program termination.
Critical Impact
Applications that parse untrusted Go source code are vulnerable to denial of service attacks through stack exhaustion, potentially disrupting build systems, code analysis tools, and development environments.
Affected Products
- Go programming language (go/parser package)
- Applications using Go's go/parser Parse functions
- Code analysis tools and build systems parsing Go source
Discovery Timeline
- September 6, 2024 - CVE-2024-34155 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-34155
Vulnerability Analysis
This vulnerability exists in Go's parser implementation when processing source code containing deeply nested literals. The parser uses recursive descent parsing, and when encountering specially crafted input with excessive nesting depth, the call stack grows proportionally with the nesting level. Since the stack has finite memory, sufficiently deep nesting causes stack exhaustion, resulting in a panic that terminates the program.
The vulnerability is exploitable over the network in scenarios where applications accept and parse Go source code from untrusted sources. This includes online Go playgrounds, code review systems, continuous integration pipelines, and code analysis services. An attacker with low privileges can submit malicious code to trigger the denial of service condition.
Root Cause
The root cause stems from the recursive nature of the parser's literal handling code. When parsing nested composite literals (such as nested arrays, slices, maps, or struct literals), each level of nesting adds a new frame to the call stack. The parser lacks adequate depth checks or iterative alternatives to prevent unbounded recursion, allowing attackers to exhaust available stack space through carefully constructed input.
Attack Vector
An attacker can exploit this vulnerability by submitting Go source code containing deeply nested literals to any service that parses Go code. The attack requires network access and minimal privileges. The malicious input triggers recursive parsing calls that eventually exhaust the program's stack, causing a panic and service disruption. No user interaction is required for exploitation.
The attack is particularly effective against:
- Online Go compilation/execution services
- Code review and static analysis platforms
- CI/CD pipelines that parse Go source files
- IDE language servers processing untrusted code
Detection Methods for CVE-2024-34155
Indicators of Compromise
- Unexpected application crashes or panics in Go-based parsing services
- Stack overflow errors in logs from go/parser package functions
- Sudden service terminations when processing specific Go source files
- Memory and stack utilization anomalies during code parsing operations
Detection Strategies
- Monitor application logs for panic messages related to stack exhaustion or runtime errors from the go/parser package
- Implement input validation to detect and reject source files with excessive nesting depth before parsing
- Deploy application performance monitoring to identify unusual recursion patterns or memory consumption during parse operations
- Create alerts for repeated service restarts or crashes in systems that process Go source code
Monitoring Recommendations
- Enable stack trace logging for all parser-related crashes to identify exploitation attempts
- Implement rate limiting on code submission endpoints to reduce the impact of repeated attack attempts
- Monitor Go runtime metrics including goroutine stack usage and panic frequency
- Establish baseline metrics for normal parsing operations to detect anomalous behavior
How to Mitigate CVE-2024-34155
Immediate Actions Required
- Update Go to the latest patched version that addresses this vulnerability
- Implement input validation to limit nesting depth in Go source code before parsing
- Add resource limits (stack size, parsing timeout) to applications processing untrusted Go code
- Consider sandboxing or isolating parsing operations for untrusted input
Patch Information
The Go development team has addressed this vulnerability through a code change that prevents stack exhaustion when parsing deeply nested literals. The fix is tracked in the Go Dev Issue Discussion and documented in the Go Vulnerability Report GO-2024-3105. Additional details are available in the Go Dev Issue Report and the Golang Dev Group Discussion. Organizations using NetApp products should also review the NetApp Security Advisory NTAP-20240926-0005.
Workarounds
- Implement pre-parsing validation to check and limit nesting depth of incoming Go source code
- Set process-level stack size limits using operating system controls to contain the impact of exhaustion
- Deploy parsing operations in isolated containers or sandboxes with resource constraints
- Implement request timeouts for parsing operations to automatically terminate runaway processes
# Configuration example: Limit stack size for Go applications (Linux)
ulimit -s 8192 # Set stack size limit to 8MB
# Or in systemd service files:
# LimitSTACK=8388608
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
