How serious is CVE-2022-1962?

This vulnerability has a CVSS score of 5.5 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2022-1962?

Yes, proof-of-concept exploit code for CVE-2022-1962 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2022-1962?

CVE-2022-1962 affects golang go. Check the full CVE details for specific version information.

How do I fix CVE-2022-1962?

To remediate CVE-2022-1962, check for security patches from golang. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2022-1962

Medium

|5.5

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker can exploit this vulnerability to crash a Go application by sending it deeply nested types or declarations, which can overwhelm the system's memory. This issue affects specific versions of Go before updates were released, so using an outdated version increases the risk.

Technical Description

Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.

CVSS Vector Analysis

Attack VectorLocal

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$759($500-$1K)

Vendor Response

Grade FPatched in 1304 days

Quick Information

Published

Aug 10, 2022

over 3 years ago

Last Modified

Mar 6, 2026

about 1 month ago

Vendor

golang

Product

Related Vulnerabilities

CVE-2022-32148Medium

This vulnerability allows an attacker to manipulate the X-Forwarded-For header, potentially exposing the true client IP address when using the Go ReverseProxy feature. It occurs if the header is set to a nil value, which can happen in certain configurations before specific versions of Go are used.

CVE-2022-30635High

An attacker can cause a program using certain versions of Go to crash by sending it a message with deeply nested data structures, which overwhelms the system's memory. This vulnerability requires the attacker to be able to send specially crafted messages to the affected application.

CVE-2022-30633High

An attacker can crash a Go application by sending a specially crafted XML document that causes excessive nesting in the data structure being processed. This vulnerability affects versions of Go before 1.17.12 and 1.18.4, and it requires the application to use the 'any' field tag in its data structures.

CVE-2022-30630High

An attacker can crash a Go application by sending it a specially crafted file path with many separators, which causes the program to run out of memory and stop working. This issue affects versions of Go before 1.17.12 and 1.18.4, so using an outdated version increases the risk.

CVE-2022-30629Low

This vulnerability allows an attacker to track users' connections by observing the ages of session tickets during secure connections, which can help them link multiple sessions together. However, the attacker needs to be able to watch the TLS handshakes happening between the user and the server to exploit this weakness.