{"id":"GO-2021-0088","summary":"Denial of service via ignored unknown fields in github.com/facebook/fbthrift","details":"Skip ignores unknown fields, rather than failing. A malicious user can craft small messages with unknown fields which can take significant resources to parse. If a server accepts messages from an untrusted user, it may be used as a denial of service vector.","aliases":["CVE-2019-3564","GHSA-x4rg-4545-4w7w"],"modified":"2026-03-17T04:05:46.363682Z","published":"2021-04-14T20:04:52Z","related":["CGA-whv4-8724-7988"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0088","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/facebook/fbthrift/commit/c461c1bd1a3e130b181aa9c854da3030cd4b5156"},{"type":"WEB","url":"https://www.facebook.com/security/advisories/cve-2019-3564"}],"affected":[{"package":{"name":"github.com/facebook/fbthrift","ecosystem":"Go","purl":"pkg:golang/github.com/facebook/fbthrift"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.31.1-0.20190225164308-c461c1bd1a3e"}]}],"ecosystem_specific":{"imports":[{"symbols":["BinaryProtocol.Skip","CompactProtocol.Skip","HeaderProtocol.Skip","JSONProtocol.Skip","Process","ProcessContext","SimpleJSONProtocol.Skip","SimpleServer.AcceptLoop","SimpleServer.AcceptLoopContext","SimpleServer.Serve","SimpleServer.ServeContext","Skip","SkipDefaultDepth","applicationException.Read"],"path":"github.com/facebook/fbthrift/thrift/lib/go/thrift"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0088.json"}}],"schema_version":"1.7.5"}