Login Sign Up

CVE-2021-33198

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Go's math/big.Rat package causes a panic (crash) when parsing extremely large exponents in rational number strings. It affects applications using Go's SetString or UnmarshalText methods with untrusted input. Systems running Go 1.15.x before 1.15.13 or Go 1.16.x before 1.16.5 are vulnerable.

💻 Affected Systems

Products:
  • Go programming language
  • Applications built with Go
Versions: Go 1.15.x before 1.15.13, Go 1.16.x before 1.16.5
Operating Systems: All platforms running Go
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects code using math/big.Rat SetString or UnmarshalText methods with untrusted input containing large exponents.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing application crashes and potential service disruption when processing malicious input.

🟠

Likely Case

Application instability or crashes when parsing malformed rational number strings from external sources.

🟢

If Mitigated

Minimal impact if input validation prevents large exponents or applications don't use affected methods with untrusted data.

🌐 Internet-Facing: MEDIUM - Web applications parsing user input with affected methods could be crashed by attackers.
🏢 Internal Only: LOW - Requires specific code patterns and untrusted input to trigger.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple input manipulation can trigger the panic. Exploit code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.15.13, Go 1.16.5

Vendor Advisory: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI

Restart Required: Yes

Instructions:

1. Update Go installation to 1.15.13 or 1.16.5+. 2. Recompile all Go applications with updated compiler. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation for rational numbers

all

Validate input to reject extremely large exponents before passing to math/big.Rat methods

Implement input validation in application code

🧯 If You Can't Patch

  • Implement strict input validation to reject rational numbers with exponents exceeding safe limits
  • Deploy WAF rules to block requests containing suspicious rational number patterns

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If output shows 1.15.x < 1.15.13 or 1.16.x < 1.16.5, system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After update, run 'go version' to confirm version is 1.15.13+ or 1.16.5+. Test with known malicious input to ensure no panic occurs.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs mentioning panic in math/big.Rat
  • Stack traces containing SetString or UnmarshalText

Network Indicators:

  • HTTP requests containing rational numbers with extremely large exponents

SIEM Query:

source="application.logs" AND ("panic" AND "math/big.Rat") OR ("SetString" AND "UnmarshalText")

📊 Metadata

CVE ID: CVE-2021-33198
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: August 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON