Iskorotkov Avro Integer Overflow Vulnerability in Decoder Prior to 2.33.0

A denial-of-service vulnerability has been identified in the Iskorotkov Avro Go codec, specifically in versions prior to 2.33.0. The issue arises in several decoder paths that read 64-bit values from the Avro wire format. These values are either narrowed to platform-sized integers without proper bounds-checking or are manipulated using signed-integer arithmetic that is prone to overflow. On 32-bit platforms, such as GOARCH=386, arm, mips, and wasm, this truncation can silently bypass byte-slice limits, incorrectly select union branches, or trigger a panic in the OCF negative-make block reads. Additionally, there are three sub-issues that, while not exclusive to 32-bit platforms, contribute to the denial-of-service risk by causing panics or bypassing allocation caps on any platform.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to panic and crash. This can be particularly disruptive if decoding workers are not properly isolated, allowing the crash to affect the entire application.

Reproduction

The vulnerability can be reproduced by decoding untrusted Avro data that contains carefully crafted 64-bit values. On 32-bit platforms, values that exceed 2^31 will be truncated, bypassing byte-slice limits and causing the decoder to misinterpret union types. This can be demonstrated by encoding an array or map across multiple blocks, ensuring that the cumulative element count wraps around the integer limit, or by using block headers that trigger the negative-make panic.

Remediation

Users are advised to upgrade to Iskorotkov Avro version 2.33.0 or later. For those using the original import path, a replace directive in the go.mod file can be used to point to the updated version.