VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-qfej-qtan-aaae

Essentials
Severities (103)
References (48)
Severity details (12)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-qfej-qtan-aaae
Aliases	CVE-2022-41725
Summary	A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
Status	Published
Exploitability	0.5
Weighted Severity	7.1
Risk	3.5
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-400	Uncontrolled Resource Consumption

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41725.json
epss	0.00046	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00046	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00046	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00046	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00209	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00212	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00246	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00246	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00246	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
epss	0.00246	https://api.first.org/data/v1/epss?cve=CVE-2022-41725
cvssv3.1	6.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc	Track	https://go.dev/cl/468124
ssvc	Track	https://go.dev/issue/58006
ssvc	Track	https://go.dev/issue/58006
cvssv3.1	7.5	https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
generic_textual	HIGH	https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
ssvc	Track	https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-41725
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-41725
ssvc	Track	https://pkg.go.dev/vuln/GO-2023-1569
ssvc	Track	https://security.gentoo.org/glsa/202311-09

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41725.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-41725
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41725
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://go.dev/cl/468124
		https://go.dev/issue/58006
		https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
		https://pkg.go.dev/vuln/GO-2023-1569
2178488		https://bugzilla.redhat.com/show_bug.cgi?id=2178488
cpe:2.3:a:golang:go::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go::::::::
cpe:2.3:a:golang:go:1.20.0:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go:1.20.0:-::::::
cpe:2.3:a:golang:go:1.20.0:rc1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go:1.20.0:rc1::::::
cpe:2.3:a:golang:go:1.20.0:rc2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go:1.20.0:rc2::::::
cpe:2.3:a:golang:go:1.20.0:rc3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go:1.20.0:rc3::::::
CVE-2022-41725		https://nvd.nist.gov/vuln/detail/CVE-2022-41725
GLSA-202311-09		https://security.gentoo.org/glsa/202311-09
RHSA-2023:0584		https://access.redhat.com/errata/RHSA-2023:0584
RHSA-2023:1325		https://access.redhat.com/errata/RHSA-2023:1325
RHSA-2023:1326		https://access.redhat.com/errata/RHSA-2023:1326
RHSA-2023:1639		https://access.redhat.com/errata/RHSA-2023:1639
RHSA-2023:1817		https://access.redhat.com/errata/RHSA-2023:1817
RHSA-2023:2107		https://access.redhat.com/errata/RHSA-2023:2107
RHSA-2023:3083		https://access.redhat.com/errata/RHSA-2023:3083
RHSA-2023:3167		https://access.redhat.com/errata/RHSA-2023:3167
RHSA-2023:3445		https://access.redhat.com/errata/RHSA-2023:3445
RHSA-2023:3450		https://access.redhat.com/errata/RHSA-2023:3450
RHSA-2023:3455		https://access.redhat.com/errata/RHSA-2023:3455
RHSA-2023:3612		https://access.redhat.com/errata/RHSA-2023:3612
RHSA-2023:3742		https://access.redhat.com/errata/RHSA-2023:3742
RHSA-2023:4003		https://access.redhat.com/errata/RHSA-2023:4003
RHSA-2023:4335		https://access.redhat.com/errata/RHSA-2023:4335
RHSA-2023:4470		https://access.redhat.com/errata/RHSA-2023:4470
RHSA-2023:4627		https://access.redhat.com/errata/RHSA-2023:4627
RHSA-2023:5935		https://access.redhat.com/errata/RHSA-2023:5935
RHSA-2023:5964		https://access.redhat.com/errata/RHSA-2023:5964
RHSA-2023:6346		https://access.redhat.com/errata/RHSA-2023:6346
RHSA-2023:6363		https://access.redhat.com/errata/RHSA-2023:6363
RHSA-2023:6402		https://access.redhat.com/errata/RHSA-2023:6402
RHSA-2023:6473		https://access.redhat.com/errata/RHSA-2023:6473
RHSA-2023:6474		https://access.redhat.com/errata/RHSA-2023:6474
RHSA-2023:6817		https://access.redhat.com/errata/RHSA-2023:6817
RHSA-2023:6938		https://access.redhat.com/errata/RHSA-2023:6938
RHSA-2023:6939		https://access.redhat.com/errata/RHSA-2023:6939
RHSA-2023:7672		https://access.redhat.com/errata/RHSA-2023:7672
RHSA-2024:2944		https://access.redhat.com/errata/RHSA-2024:2944
USN-6140-1		https://usn.ubuntu.com/6140-1/
USN-7109-1		https://usn.ubuntu.com/7109-1/
USN-7111-1		https://usn.ubuntu.com/7111-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41725.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:57:52Z/ Found at https://go.dev/cl/468124

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:57:52Z/ Found at https://go.dev/issue/58006

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:57:52Z/ Found at https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41725

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-41725

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:57:52Z/ Found at https://pkg.go.dev/vuln/GO-2023-1569

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T17:57:52Z/ Found at https://security.gentoo.org/glsa/202311-09

Exploit Prediction Scoring System (EPSS)

Percentile	0.13866
EPSS Score	0.00046
Published At	April 15, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.