7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2529

CVE-2022-2529: Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Impact

The sflow decode package prior to version 3.4.4 does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume huge amounts of memory resulting in a denial of service.

Specific Go Packages Affected

github.com/cloudflare/goflow/v3/decoders/sflow

Patches

Version 3.4.4 contains patches fixing this.

Workarounds

A possible workaround is to not have your goflow collector publicly reachable.

For more information

If you have any questions or comments about this advisory:

Open an issue in goflow repo
Email us netdev[@]cloudflare.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-2529

CVE-2022-2529:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cloudflare/goflow/v3	go	< 3.4.4	3.4.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing input validation on size fields in packet decoding functions. The patches explicitly add constraints like MAX_FLOWS_PER_PACKET, MAX_AS_PATH_LENGTH, and MAX_SAMPLES_PER_PACKET to these functions. The pre-patch code allocated memory based directly on attacker-controlled packet fields without sanitization, enabling memory exhaustion attacks. The affected functions are clearly identified in the commit diffs (netflow.go and sflow.go), and the CWE mappings (CWE-20/CWE-400) directly correlate to these missing validations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-2529: Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Impact

Specific Go Packages Affected

Patches

Workarounds

For more information

CVE-2022-2529:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-2529: Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Impact

Specific Go Packages Affected

Patches

Workarounds

For more information

7.5

7.5

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI