Miggo Logo
Miggo Vulnerability Database
CVE-2013-10005

CVE-2013-10005: socks Infinite Loop vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-10005
GHSA ID
GHSA-gxgj-xjcw-fv9p
EPSS Score
0.38119%
CWE
CWE-835
Published
12/28/2022
Updated
2/14/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/btcsuite/go-socksgo< 0.0.0-20130808000456-233bccbb1abe0.0.0-20130808000456-233bccbb1abe
github.com/btcsuitereleases/go-socksgo< 0.0.0-20130808000456-233bccbb1abe0.0.0-20130808000456-233bccbb1abe

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The commit diff shows both methods originally contained 'return c.LocalAddr()' and 'return c.RemoteAddr()' respectively, creating direct recursion
  2. The patch changes these to 'c.conn.LocalAddr()' and 'c.conn.RemoteAddr()', indicating the original implementation lacked proper delegation
  3. CVE description explicitly names these methods as the source of infinite recursion
  4. GO-2020-0024 vulnerability report lists these exact unexported methods as affected symbols
  5. The infinite loop occurs because method calls would repeatedly invoke themselves rather than the embedded connection's implementation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `R*mot****r` *n* `Lo**l***r` m*t*o*s on t** r*turn** `n*t.*onn` m*y **ll t**ms*lv*s, l***in* to *n in*init* loop w*i** will *r*s* t** pro*r*m *u* to * st**k ov*r*low.

Reasoning

*. T** *ommit *i** s*ows *ot* m*t*o*s ori*in*lly *ont*in** 'r*turn *.Lo**l***r()' *n* 'r*turn *.R*mot****r()' r*sp**tiv*ly, *r**tin* *ir**t r**ursion *. T** p*t** ***n**s t**s* to '*.*onn.Lo**l***r()' *n* '*.*onn.R*mot****r()', in*i**tin* t** ori*in*
CVE-2013-10005: socks RemoteAddr Recursive DoS | Miggo