Skip to main content

Improper Validation of Specified Quantity in Input


Severity High
Score 7.5/10


The package go-bitfield is a simple bitfield package for the go language, aiming to be more performant than the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger panics. This happen when the `size` is not a multiple of `8` or is negative. There is already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`. This vulnerability affects versions prior to 1.1.0.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1284 - Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Advisory Timeline

  • Published