gob deserialization

About this tag
The gob deserialization tag covers content related to Go's encoding/gob package and its security implications, particularly the denial-of-service vulnerability CVE-2024-34156. This flaw allows an attacker to crash a Go process by sending a crafted gob payload with extremely deep nesting, causing stack exhaustion during deserialization. The vulnerability affects applications that decode untrusted gob data using Decoder.Decode or DecodeValue. Mitigation involves updating to the patched Go release. Discussions focus on the technical details of the stack exhaustion mechanism, affected code patterns, and best practices for handling gob input safely in Go applications.
  1. Go Gob Decoder DoS: CVE-2024-34156 Stack Exhaustion and Mitigation

    A critical availability weakness in Go’s standard library — tracked as CVE-2024-34156 — lets an attacker reliably crash a process that decodes untrusted gob data by driving the decoder into stack exhaustion. The flaw is simple in concept but serious in consequence: calling encoding/gob’s...