Miggo Logo
Miggo Vulnerability Database
GHSA-hxp2-xqf3-v83h

GHSA-hxp2-xqf3-v83h: Panic during unmarshal of Hello Verify Request in github.com/pion/dtls/v2

5.9

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-hxp2-xqf3-v83h
EPSS Score
-
CWE
CWE-125
Published
2/7/2023
Updated
6/13/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/pion/dtls/v2go< 2.2.42.2.4
github.com/pion/dtlsgo<= 1.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The commit diff shows critical buffer check additions in MessageServerHello.Unmarshal
  2. Go vulnerability report GO-2023-1535 explicitly lists MessageServerHello.Unmarshal as affected
  3. CWE-125 matches the OOB read pattern observed in the pre-patch code
  4. Advisory descriptions specifically mention Server Hello unmarshalling as the vulnerable operation
  5. The patch adds a 'currOffset+2' check before CipherSuiteID access, indicating this was the missing safeguard

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n *tt*mptin* to unm*rs**l * S*rv*r **llo r*qu*st w* *oul* *tt*mpt to unm*rs**l into * *u***r t**t w*s too sm*ll. T*is *oul* r*sult in * p*ni* l***in* t** pro*r*m to *r*s*. T*is issu* *oul* ** **us** to **us* * **ni*l o* s*rvi**. ###

Reasoning

*. T** *ommit *i** s*ows *riti**l *u***r ****k ***itions in M*ss***S*rv*r**llo.Unm*rs**l *. *o vuln*r**ility r*port *O-****-**** *xpli*itly lists M*ss***S*rv*r**llo.Unm*rs**l *s *****t** *. *W*-*** m*t***s t** OO* r*** p*tt*rn o*s*rv** in t** pr*-p*t