iskorotkov Avro Unbounded Loop Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the iskorotkov/avro Go library, specifically in versions prior to 2.33.0. The issue arises in the Avro array and map decoders, which improperly handle an attacker-controlled block-count value. This flaw allows a malicious producer to declare an excessively large block of elements, up to approximately 9.2 quintillion, followed by an end-of-file or truncated payload. The decoder then executes a corresponding number of no-operation iterations, effectively creating an infinite loop that consumes CPU resources until the process is terminated or killed externally. This vulnerability is remote and does not require authentication.

Impact

Exploitation of this vulnerability leads to CPU exhaustion, causing the process to be terminated or killed externally after running out of memory.

Reproduction

The vulnerability can be reproduced by sending a payload that includes a zigzag-encoded long value of math.MaxInt64, which the decoder interprets as a block count. The decoder will then enter a loop, iterating math.MaxInt64 times, effectively pinning a CPU core until the process is out of memory or terminated.

Remediation

Users can upgrade to Avro version 2.33.0 or later, where this vulnerability has been fixed. For those using version 2.31.0 or earlier, it is recommended to migrate to the iskorotkov/avro fork, as the original repository is archived and no longer maintained.