Login Sign Up

CVE-2020-29509

9.8 CRITICAL

📋 TL;DR

This vulnerability in Go's encoding/xml package allows attackers to craft XML inputs that behave inconsistently during different processing stages. This can lead to security bypasses, data corruption, or injection attacks in applications that parse XML. All Go applications using the standard library's XML parser are potentially affected.

💻 Affected Systems

Products:
  • Go programming language
  • Applications using Go's encoding/xml package
Versions: All versions of Go prior to 1.15.6 and 1.14.13
Operating Systems: All operating systems running Go applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any Go application that parses XML from untrusted sources is vulnerable. The vulnerability is in the standard library, so all Go installations are affected.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Trident by Netapp

View all CVEs affecting Trident →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, complete system compromise, or data integrity destruction through XML parsing inconsistencies

🟠

Likely Case

XML injection, data corruption, authentication bypass, or denial of service in affected applications

🟢

If Mitigated

Limited impact with proper input validation and XML sanitization controls

🌐 Internet-Facing: HIGH - XML parsing is common in web services and APIs exposed to untrusted inputs
🏢 Internal Only: MEDIUM - Internal applications may still process untrusted XML from various sources

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof-of-concept exists in advisory references. Exploitation requires crafting specific XML payloads that trigger the namespace prefix inconsistency.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.15.6 and 1.14.13

Vendor Advisory: https://github.com/golang/go/issues/43168

Restart Required: Yes

Instructions:

1. Update Go to version 1.15.6 or 1.14.13 or later. 2. Recompile all Go applications with the updated version. 3. Redeploy patched applications. 4. Restart services using Go applications.

🔧 Temporary Workarounds

XML Input Validation

all

Implement strict XML schema validation and sanitization before parsing

Use Alternative XML Parser

all

Replace encoding/xml with a third-party XML library that isn't affected

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable XML processing services
  • Deploy web application firewall (WAF) with XML payload inspection rules

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is below 1.15.6 or 1.14.13, the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.15.6+ or 1.14.13+ and recompile applications with updated compiler

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • XML payloads with unusual namespace prefixes
  • Application crashes during XML processing

Network Indicators:

  • Unusually large or complex XML payloads to XML endpoints
  • Multiple XML parsing attempts with varying namespace structures

SIEM Query:

source="application_logs" AND ("xml parse error" OR "namespace" OR "encoding/xml")

📊 Metadata

CVE ID: CVE-2020-29509
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-115
Published: December 14, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29509, you might also want to check these:

CVE-2020-27846 9.8

CVE-2020-27846 is a signature verification vulnerability in the crewjam/saml library that allows att...

Same vulnerability type (CWE-115)
CVE-2020-29511 9.8

This vulnerability in Go's encoding/xml package allows attackers to craft XML inputs that behave inc...

Same vulnerability type (CWE-115)
CVE-2023-0880 8.3

CVE-2023-0880 is an input misinterpretation vulnerability in phpMyFAQ that allows attackers to manip...

Same vulnerability type (CWE-115)