7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2529

GHSA ID

GHSA-9rpw-2h95-666c

EPSS Score

0.5876%

CWE

CWE-20

Published

10/1/2022

Updated

10/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2529

CVE-2022-2529:
Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Impact

The sflow decode package prior to version 3.4.4 does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume huge amounts of memory resulting in a denial of service.

Specific Go Packages Affected

github.com/cloudflare/goflow/v3/decoders/sflow

Patches

Version 3.4.4 contains patches fixing this.

Workarounds

A possible workaround is to not have your goflow collector publicly reachable.

For more information

If you have any questions or comments about this advisory:

Open an issue in goflow repo
Email us netdev[@]cloudflare.com

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2529

GHSA ID

GHSA-9rpw-2h95-666c

EPSS Score

0.5876%

CWE

CWE-20

Published

10/1/2022

Updated

10/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cloudflare/goflow/v3	go	< 3.4.4	3.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing input validation on size fields in packet decoding functions. The patches explicitly add constraints like MAX_FLOWS_PER_PACKET, MAX_AS_PATH_LENGTH, and MAX_SAMPLES_PER_PACKET to these functions. The pre-patch code allocated memory based directly on attacker-controlled packet fields without sanitization, enabling memory exhaustion attacks. The affected functions are clearly identified in the commit diffs (netflow.go and sflow.go), and the CWE mappings (CWE-20/CWE-400) directly correlate to these missing validations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** s*low ***o** p**k*** prior to v*rsion *.*.* *o*s not *mploy su**i*i*nt p**k*t s*nitis*tion w*i** **n l*** to * **ni*l o* s*rvi** *tt**k. *tt**k*rs **n *r**t m*l*orm** p**k*ts **usin* t** pro**ss to *onsum* *u** *mounts o* m*mory r*sult

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion on siz* *i*l*s in p**k*t ***o*in* *un*tions. T** p*t***s *xpli*itly *** *onstr*ints lik* M*X_*LOWS_P*R_P**K*T, M*X_*S_P*T*_L*N*T*, *n* M*X_S*MPL*S_P*R_P**K*T to t**s* *un*tions. T** pr*-p*t** *o**

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-2529: Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Impact

Specific Go Packages Affected

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-2529:
Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Vulnerability Intelligence
Miggo AI