{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18089?format=json","vulnerability_id":"VCID-fcfw-7u4r-ebf8","summary":"Potential memory exhaustion attack due to sparse slice deserialization\n### Details\n\nRunning `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice. \n\nIn the local environment environment for my project, I was able to call an endpoint like `/innocent_endpoint?arr.10000000.X=1` and freeze my system from the memory allocation while parsing `r.Form`. I think [this line](https://github.com/gorilla/schema/blob/main/decoder.go#L223) is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess.\n\n### Proof of Concept\n\nThe following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions.\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/gorilla/schema\"\n)\n\nfunc main() {\n\tdec := schema.NewDecoder()\n\tvar result struct {\n\t\tArr []struct{ Val int }\n\t}\n\tif err := dec.Decode(&result, map[string][]string{\"arr.1000000000.Val\": {\"1\"}}); err != nil {\n\t\tpanic(err)\n\t}\n\tfmt.Printf(\"%#+v\\n\", result)\n}\n\n```\n\n### Impact\n\nAny use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.","aliases":[{"alias":"CVE-2024-37298"},{"alias":"GHSA-3669-72x9-r9p3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/923986?format=json","purl":"pkg:deb/debian/golang-github-gorilla-schema@1.4.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-gorilla-schema@1.4.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/995189?format=json","purl":"pkg:deb/debian/golang-github-gorilla-schema@1.4.1-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-gorilla-schema@1.4.1-1"},{"url":"http://public2.vulnerablecode.io/api/packages/58400?format=json","purl":"pkg:golang/github.com/gorilla/schema@1.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/gorilla/schema@1.4.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995188?format=json","purl":"pkg:deb/debian/golang-github-gorilla-schema@1.2.0-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-gorilla-schema@1.2.0-2"},{"url":"http://public2.vulnerablecode.io/api/packages/923985?format=json","purl":"pkg:deb/debian/golang-github-gorilla-schema@1.2.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-gorilla-schema@1.2.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/93006?format=json","purl":"pkg:rpm/redhat/podman@2:4.2.0-5?arch=el9_0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@2:4.2.0-5%3Farch=el9_0"},{"url":"http://public2.vulnerablecode.io/api/packages/93007?format=json","purl":"pkg:rpm/redhat/podman@2:4.4.1-20?arch=el9_2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6nrn-u58x-mben"},{"vulnerability":"VCID-fcfw-7u4r-ebf8"},{"vulnerability":"VCID-k54u-rbhx-bbbu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@2:4.4.1-20%3Farch=el9_2"},{"url":"http://public2.vulnerablecode.io/api/packages/93010?format=json","purl":"pkg:rpm/redhat/podman@3:4.2.0-11.rhaos4.12?arch=el9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"},{"vulnerability":"VCID-wq29-hzz2-5beh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@3:4.2.0-11.rhaos4.12%3Farch=el9"},{"url":"http://public2.vulnerablecode.io/api/packages/93012?format=json","purl":"pkg:rpm/redhat/podman@3:4.4.1-10.3.rhaos4.13?arch=el9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@3:4.4.1-10.3.rhaos4.13%3Farch=el9"},{"url":"http://public2.vulnerablecode.io/api/packages/93009?format=json","purl":"pkg:rpm/redhat/podman@3:4.4.1-16.4.rhaos4.14?arch=el8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"},{"vulnerability":"VCID-k54u-rbhx-bbbu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@3:4.4.1-16.4.rhaos4.14%3Farch=el8"},{"url":"http://public2.vulnerablecode.io/api/packages/93008?format=json","purl":"pkg:rpm/redhat/podman@3:4.4.1-25.2.rhaos4.15?arch=el8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@3:4.4.1-25.2.rhaos4.15%3Farch=el8"},{"url":"http://public2.vulnerablecode.io/api/packages/93011?format=json","purl":"pkg:rpm/redhat/podman@4:4.9.4-8.rhaos4.16?arch=el8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fcfw-7u4r-ebf8"},{"vulnerability":"VCID-k54u-rbhx-bbbu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@4:4.9.4-8.rhaos4.16%3Farch=el8"},{"url":"http://public2.vulnerablecode.io/api/packages/93005?format=json","purl":"pkg:rpm/redhat/podman@4:4.9.4-10?arch=el9_4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4psv-cefc-7kad"},{"vulnerability":"VCID-fcfw-7u4r-ebf8"},{"vulnerability":"VCID-k54u-rbhx-bbbu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/podman@4:4.9.4-10%3Farch=el9_4"}],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37298.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37298.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37298","reference_id":"","reference_type":"","scores":[{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50111","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50158","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50108","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50162","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50156","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50173","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50146","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50143","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50188","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50147","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50154","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50107","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50027","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.50082","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00267","scoring_system":"epss","scoring_elements":"0.5013","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37298"},{"reference_url":"https://github.com/gorilla/schema","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gorilla/schema"},{"reference_url":"https://github.com/gorilla/schema/blob/main/decoder.go#L223","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:16:14Z/"}],"url":"https://github.com/gorilla/schema/blob/main/decoder.go#L223"},{"reference_url":"https://github.com/gorilla/schema/commit/cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:16:14Z/"}],"url":"https://github.com/gorilla/schema/commit/cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff"},{"reference_url":"https://github.com/gorilla/schema/security/advisories/GHSA-3669-72x9-r9p3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:16:14Z/"}],"url":"https://github.com/gorilla/schema/security/advisories/GHSA-3669-72x9-r9p3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37298","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37298"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075973","reference_id":"1075973","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075973"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2295010","reference_id":"2295010","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2295010"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4702","reference_id":"RHSA-2024:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4702"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4825","reference_id":"RHSA-2024:4825","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4825"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4848","reference_id":"RHSA-2024:4848","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4848"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4858","reference_id":"RHSA-2024:4858","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4858"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4963","reference_id":"RHSA-2024:4963","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4963"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:5194","reference_id":"RHSA-2024:5194","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:5194"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:5202","reference_id":"RHSA-2024:5202","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:5202"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6194","reference_id":"RHSA-2024:6194","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6194"}],"weaknesses":[{"cwe_id":770,"name":"Allocation of Resources Without Limits or Throttling","description":"The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":"0.5","weighted_severity":"8.0","risk_score":4.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fcfw-7u4r-ebf8"}