Miggo Logo
Miggo Vulnerability Database
GHSA-4xgv-j62q-h3rj

GHSA-4xgv-j62q-h3rj: Panic during unmarshal of Hello Verify Request in github.com/pion/dtls/v2

5.9

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-4xgv-j62q-h3rj
EPSS Score
-
CWE
-
Published
2/7/2023
Updated
6/13/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/pion/dtls/v2go< 2.2.42.2.4
github.com/pion/dtlsgo<= 1.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Unmarshal method of MessageHelloVerifyRequest. The commit diff shows the fix explicitly modifies this function by changing cookieLength handling from a byte + cast to a direct int. This addresses a scenario where insufficient buffer validation could cause a panic. The Go vulnerability report (GO-2023-1534) explicitly lists this function as affected, and the patch directly targets this method. The combination of code analysis, commit context, and advisory references confirms this as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urin* t** unm*rs**llin* o* * **llo v*ri*y r*qu*st w* *oul* try to unm*rs**l into too sm*ll * *u***r. is *oul* r*sult in * p*ni* l***in* t** pro*r*m to *r*s*. T*is issu* *oul* ** **us** to **us* * **ni*l o* s*rvi**. ### Work*roun* Non*

Reasoning

T** vuln*r**ility st*ms *rom t** `Unm*rs**l` m*t*o* o* `M*ss*****lloV*ri*yR*qu*st`. T** *ommit *i** s*ows t** *ix *xpli*itly mo*i*i*s t*is `*un*tion` *y ***n*in* `*ooki*L*n*t*` **n*lin* *rom * *yt* + **st to * *ir**t `int`. T*is ***r*ss*s * s**n*rio