CVE-2022-30631

Aliases:GO-2022-0524BIT-golang-2022-30631

Advisory lineage Upstream: 0 Downstream: 31

Downstream

DEBIAN-CVE-2022-30631 MGASA-2022-0262 OPENSUSE-SU-2024:12189-1 OPENSUSE-SU-2024:12190-1 RHSA-2022:5775 RHSA-2022:5799

Modified

Published: 09 Aug 2022, 20:16

Last modified:20 Oct 2025, 17:51

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.06% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

09 Aug 2022, 20:16

Published

Vulnerability first disclosed

20 Oct 2025, 17:51

Last Modified

Vulnerability information updated

Description

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.06%• Percentile: 18%

Techniques & Countermeasures

CWE-674•Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Systems

go standard library•compress/gzip
< 1.17.12 | ≥ 1.18.0-0, < 1.18.4
golang•go
< 1.17.12 | ≥ 1.18.0, < 1.18.4
Go•stdlib
≥ 1.18.0-0, < 1.18.4