CVE-2020-29511 – This vulnerability in Go's encoding/xml package... (How to Fix)

Q: What is the severity of CVE-2020-29511?

CVE-2020-29511 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Go's encoding/xml package allows attackers to craft XML inputs that behave inconsistently during different processing stages. This can lead to security bypasses, data corruption, or injection attacks in applications that parse XML. All Go applications using the standard library's XML parser are potentially affected.

📋 TL;DR

This vulnerability in Go's encoding/xml package allows attackers to craft XML inputs that behave inconsistently during different processing stages. This can lead to security bypasses, data corruption, or injection attacks in applications that parse XML. All Go applications using the standard library's XML parser are potentially affected.

💻 Affected Systems

Products:

Go programming language
Applications using Go's encoding/xml package

Versions: All versions of Go prior to 1.15.6 and 1.14.13

Operating Systems: All operating systems running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Go application that parses XML using the standard library is vulnerable by default.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Trident by Netapp

View all CVEs affecting Trident →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through XML parsing leading to remote code execution or data exfiltration in vulnerable applications.

🟠

Likely Case

XML parsing inconsistencies causing application crashes, data corruption, or security control bypasses in affected systems.

🟢

If Mitigated

Limited impact with proper input validation and XML sanitization, potentially causing only parsing errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious XML payloads that trigger the namespace prefix inconsistency.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.15.6 and 1.14.13

Vendor Advisory: https://golang.org/doc/devel/release#go1.15.minor

Restart Required: Yes

Instructions:

1. Update Go to version 1.15.6 or 1.14.13
2. Recompile all affected applications
3. Restart services using the updated binaries

🔧 Temporary Workarounds

XML Input Validation

all

Implement strict XML schema validation and sanitization before parsing

Use Alternative XML Parser

all

Replace encoding/xml with a third-party XML library that isn't affected

🧯 If You Can't Patch

Implement WAF rules to block suspicious XML payloads
Isolate vulnerable applications behind strict network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' command and verify if below 1.15.6 or 1.14.13

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.15.6+ or 1.14.13+ and test XML parsing functionality

📡 Detection & Monitoring

Log Indicators:

XML parsing errors
Unexpected application crashes
Unusual XML payload sizes or structures

Network Indicators:

Large or malformed XML requests
Repeated XML parsing attempts

SIEM Query:

source="application.log" AND ("xml parse error" OR "namespace" OR "encoding/xml")

📊 Metadata

CVE ID: CVE-2020-29511

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-115

Published: December 14, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md Third Party Advisory
https://security.netapp.com/advisory/ntap-20210129-0006/ Third Party Advisory
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md Third Party Advisory
https://security.netapp.com/advisory/ntap-20210129-0006/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29511, you might also want to check these: