Login Sign Up

CVE-2021-27918

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Go's XML encoding package causes an infinite loop when a custom TokenReader returns EOF in the middle of an XML element. This can lead to denial of service by consuming excessive CPU resources. Any Go application using xml.NewTokenDecoder with custom TokenReader implementations is affected.

💻 Affected Systems

Products:
  • Go programming language
Versions: Go 1.0 to 1.15.8, Go 1.16.0
Operating Systems: All operating systems running affected Go versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using xml.NewTokenDecoder with custom TokenReader implementations that can return EOF mid-element.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through CPU exhaustion, potentially causing application crashes and service unavailability.

🟠

Likely Case

Application hangs or becomes unresponsive when processing malformed XML with custom TokenReader implementations.

🟢

If Mitigated

Minimal impact if proper input validation and error handling are implemented, though CPU spikes may still occur.

🌐 Internet-Facing: MEDIUM - Exploitable if application accepts XML input from untrusted sources, but requires specific custom TokenReader implementation.
🏢 Internal Only: LOW - Typically requires internal XML processing with vulnerable custom implementations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires knowledge of custom TokenReader implementation and ability to provide malformed XML input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.15.9, Go 1.16.1

Vendor Advisory: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw

Restart Required: Yes

Instructions:

1. Update Go installation to version 1.15.9 or 1.16.1+. 2. Recompile all Go applications with updated version. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation for XML

all

Implement strict input validation and sanitization for XML input to prevent malformed data from reaching vulnerable code paths.

Timeout implementation

all

Add timeout mechanisms to XML parsing operations to prevent infinite loops from causing permanent hangs.

🧯 If You Can't Patch

  • Implement circuit breakers and monitoring for CPU usage spikes during XML processing
  • Deploy rate limiting and input size restrictions for XML processing endpoints

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' command and verify if using xml.NewTokenDecoder with custom TokenReader implementations.

Check Version:

go version

Verify Fix Applied:

Confirm Go version is 1.15.9+ or 1.16.1+ and test XML parsing with edge cases that previously caused hangs.

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • XML parsing timeouts
  • Application hang/crash logs

Network Indicators:

  • Increased XML payload sizes to vulnerable endpoints
  • Repeated XML requests causing service degradation

SIEM Query:

source="application_logs" AND ("CPU spike" OR "XML parse timeout" OR "application hang")

📊 Metadata

CVE ID: CVE-2021-27918
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27918, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)