Go MIME Package Word Decoding Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Go programming language's standard library, specifically within the MIME package. The issue arises in the WordDecoder.DecodeHeader function, which can be subjected to a denial-of-service attack by decoding a maliciously-crafted MIME header. This header can contain numerous invalid encoded-words, leading to excessive CPU consumption. The vulnerability affects Go versions prior to 1.25.11, as well as versions from 1.26.0 up to but not including 1.26.4.

Impact

Exploitation of this vulnerability can cause excessive CPU usage, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by crafting a MIME header with multiple invalid encoded-words. When this header is processed by the WordDecoder.DecodeHeader function, the decoder will consume an excessive amount of CPU resources, demonstrating the denial-of-service effect.

Remediation

Users can upgrade to Go versions 1.26.4 or 1.25.11, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.