{"id":"GO-2020-0019","summary":"Integer overflow in github.com/gorilla/websocket","details":"An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector.","aliases":["CVE-2020-27813","GHSA-3xh2-74w9-5vxm","GHSA-jf24-p9p9-4rjh"],"modified":"2026-03-17T04:05:39.487926Z","published":"2021-04-14T20:04:52Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2020-0019"},"references":[{"type":"FIX","url":"https://github.com/gorilla/websocket/pull/537"},{"type":"FIX","url":"https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37"}],"affected":[{"package":{"name":"github.com/gorilla/websocket","ecosystem":"Go","purl":"pkg:golang/github.com/gorilla/websocket"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.4.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["Conn.Close","Conn.NextReader","Conn.NextWriter","Conn.ReadJSON","Conn.ReadMessage","Conn.WriteControl","Conn.WriteJSON","Conn.WriteMessage","Conn.WritePreparedMessage","Conn.advanceFrame","Dialer.Dial","Dialer.DialContext","NewClient","NewPreparedMessage","ReadJSON","Subprotocols","Upgrade","Upgrader.Upgrade","WriteJSON","flateReadWrapper.Read","flateWriteWrapper.Close","flateWriteWrapper.Write","httpProxyDialer.Dial","messageReader.Read","messageWriter.Close","messageWriter.ReadFrom","messageWriter.Write","messageWriter.WriteString","netDialerFunc.Dial","proxy_direct.Dial","proxy_envOnce.Get","proxy_socks5.Dial","truncWriter.Write"],"path":"github.com/gorilla/websocket"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0019.json"}}],"schema_version":"1.7.5","credits":[{"name":"Max Justicz"}]}