CVE-2024-34158 Overview
CVE-2024-34158 is a stack exhaustion vulnerability in the Go programming language's build tag parser. The vulnerability occurs when the Parse function processes a // +build build tag line containing deeply nested expressions, leading to uncontrolled recursion that exhausts the call stack and causes a panic. This denial of service vulnerability can be triggered remotely by providing malicious input to any application that parses untrusted build constraint expressions.
Critical Impact
Applications parsing untrusted Go source files or build constraints are vulnerable to denial of service attacks through crafted build tag expressions that cause stack exhaustion and application crashes.
Affected Products
- Go programming language (go/build/constraint package)
- Applications using go/build/constraint.Parse with untrusted input
- Build systems and tools processing Go source files
Discovery Timeline
- 2024-09-06 - CVE-2024-34158 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-34158
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), which represents a category of flaws where recursive function calls are not properly bounded, leading to resource exhaustion. The vulnerable code path exists in the go/build/constraint package, specifically in how the Parse function handles legacy // +build directive syntax.
When processing build tag lines, the parser recursively evaluates nested expressions. An attacker can craft input with deeply nested logical expressions (using combinations of AND, OR, and NOT operators) that cause the parser to recurse to an excessive depth. Since Go does not implement tail-call optimization and has a fixed stack size, this uncontrolled recursion eventually exhausts available stack space, triggering a runtime panic.
The vulnerability is network-exploitable because many Go-based tools and services parse source files or build constraints from untrusted sources, including package registries, code repositories, and continuous integration systems.
Root Cause
The root cause is insufficient depth limiting in the recursive descent parser for build constraint expressions. The legacy // +build syntax allows arbitrary nesting of boolean expressions, and the parser follows this nesting without tracking or limiting recursion depth. This design flaw allows malicious input to control stack consumption, violating the principle of bounded resource usage.
Attack Vector
The attack can be executed remotely over a network by providing a specially crafted Go source file or build constraint string to any service that uses go/build/constraint.Parse. The attacker constructs a build tag line with deeply nested expressions, such as repeated parenthetical groupings or chained operators. When the target application attempts to parse this input, the recursive parser descends through each nesting level, consuming stack frames until the stack is exhausted and the application crashes.
Potential attack scenarios include:
- Submitting malicious Go packages to module proxies or registries
- Providing crafted source files to code analysis tools
- Targeting build systems that process untrusted repositories
Detection Methods for CVE-2024-34158
Indicators of Compromise
- Unexpected application crashes with stack overflow panic messages
- Go runtime errors indicating stack exhaustion during source file parsing
- Log entries showing panics in go/build/constraint package functions
- Service availability issues correlated with processing of specific Go source files
Detection Strategies
- Monitor for Go panic stack traces containing go/build/constraint.Parse or related functions
- Implement resource monitoring for applications that parse Go source files from untrusted sources
- Deploy application-level logging to capture input that triggers parsing failures
- Use static analysis to identify code paths where untrusted input reaches Parse functions
Monitoring Recommendations
- Set up alerts for abnormal process termination patterns in Go applications
- Monitor memory and CPU usage spikes that may precede stack exhaustion
- Implement request logging with payload capture for debugging crash incidents
- Track service restarts and correlate with recent input patterns
How to Mitigate CVE-2024-34158
Immediate Actions Required
- Update to patched Go versions that include the fix from Go changeset CL 611240
- Identify all applications and services that parse Go source files or build constraints
- Implement input validation to reject excessively complex build tag expressions before parsing
- Consider sandboxing or resource limits for processes handling untrusted Go source input
Patch Information
The Go team has addressed this vulnerability in the official fix referenced in Go changeset CL 611240. The patch introduces proper depth limiting in the build constraint parser to prevent unbounded recursion. Full details are available in the Go vulnerability report GO-2024-3107 and the issue tracker entry. NetApp users should also review the NetApp Security Advisory for product-specific guidance.
Workarounds
- Implement pre-validation of build tag complexity before calling Parse functions
- Set resource limits (stack size, execution time) on processes parsing untrusted input
- Use process isolation or containers to limit the impact of crashes
- Filter or sanitize Go source files before processing to remove or simplify build constraints
# Example: Setting stack size limits for Go applications (Linux)
ulimit -s 8192
# Run application with reduced stack to fail faster on deep recursion
./your-go-application
# Alternative: Use a wrapper to limit resources
systemd-run --scope -p MemoryMax=512M -p CPUQuota=50% ./your-go-application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
