GHSA-39qr-rc93-vhqm
Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding
상세
### Summary The `apiHandler` (and similarly `webHandlerTelegramBot`) processes user-provided JSON payloads by directly using `json.NewDecoder(r.Body).Decode(&request)` without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable `fatal error: runtime: out of memory`.
This causes the Linux OOM Killer to instantly terminate the entire `bird-lg-go` daemon, resulting in a severe Remote Denial of Service (RDoS).
### Details In `api.go`: ```go func apiHandler(w http.ResponseWriter, r *http.Request) { var request apiRequest // VULNERABILITY: No http.MaxBytesReader protection before JSON decode err := json.NewDecoder(r.Body).Decode(&request) // ...
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 0.0.0-20260507060110-0ff87024cb9e go get github.com/xddxdd/bird-lg-go@v0.0.0-20260507060110-0ff87024cb9e 참고
- https://github.com/xddxdd/bird-lg-go/security/advisories/GHSA-39qr-rc93-vhqm [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-45047 [ADVISORY]
- https://github.com/xddxdd/bird-lg-go/commit/0ff87024cb9ed01fc5f5fdc6f4603fce4c123922 [WEB]
- https://github.com/xddxdd/bird-lg-go [PACKAGE]
- https://github.com/xddxdd/bird-lg-go/releases/tag/v1.4.5 [WEB]