{"id":"GO-2024-2826","summary":"Denial of service attack by triggering unbounded memory usage in vitess.io/vitess","details":"When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.","aliases":["CVE-2024-32886","GHSA-649x-hxfx-57j2"],"modified":"2026-03-17T04:49:11.180532Z","published":"2024-05-10T20:07:17Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2826"},"references":[{"type":"ADVISORY","url":"https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2"},{"type":"FIX","url":"https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df"},{"type":"FIX","url":"https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055"},{"type":"FIX","url":"https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d"},{"type":"FIX","url":"https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202"},{"type":"WEB","url":"https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79"},{"type":"WEB","url":"https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71"}],"affected":[{"package":{"name":"vitess.io/vitess","ecosystem":"Go","purl":"pkg:golang/vitess.io/vitess"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.17.7"},{"introduced":"0.18.0"},{"fixed":"0.18.5"},{"introduced":"0.19.0"},{"fixed":"0.19.4"}]}],"ecosystem_specific":{"imports":[{"symbols":["Convert","ConvertFromBinary","ConvertFromUTF8","Validate","convertSlow"],"path":"vitess.io/vitess/go/mysql/collations/charset"},{"symbols":["Charset_ucs2.DecodeRune","Charset_utf16be.DecodeRune","Charset_utf16be.EncodeRune","Charset_utf32.EncodeRune"],"path":"vitess.io/vitess/go/mysql/collations/charset/unicode"},{"symbols":["Add","AggregateEvalTypes","CoerceTo","CoerceTypes","Column.Format","Column.FormatFast","Comparison.ApplyTinyWeights","Comparison.Compare","Comparison.Less","Comparison.More","Comparison.Sort","Comparison.SortResult","CompiledExpr.Format","CompiledExpr.FormatFast","Divide","EvalResult.MustBoolean","EvalResult.String","EvalResult.ToBoolean","EvalResult.ToBooleanStrict","EvalResult.TupleValues","EvalResult.Value","ExpressionEnv.Evaluate","ExpressionEnv.EvaluateVM","FieldResolver.Column","IntroducerExpr.eval","Literal.Format","Literal.FormatFast","Merger.Init","Merger.Pop","Merger.Push","Multiply","NewLiteralBinaryFromBit","NewLiteralDateFromBytes","NewLiteralDatetimeFromBytes","NewLiteralDecimalFromBytes","NewLiteralFloatFromBytes","NewLiteralIntegralFromBytes","NewLiteralTimeFromBytes","NullSafeAdd","NullsafeCompare","NullsafeHashcode","NullsafeHashcode128","OrderByParams.Compare","OrderByParams.String","Sorter.Push","Sorter.Sorted","Subtract","Translate","TupleBindVariable.Format","TupleBindVariable.FormatFast","TupleExpr.Format","TupleExpr.FormatFast","UnsupportedCollationError.Error","UntypedExpr.Compile","UntypedExpr.Format","UntypedExpr.FormatFast","WeightString","aggregationDecimal.Add","aggregationDecimal.Max","aggregationDecimal.Min","aggregationFloat.Add","aggregationFloat.Max","aggregationFloat.Min","aggregationInt.Add","aggregationInt.Max","aggregationInt.Min","aggregationMinMax.Max","aggregationMinMax.Min","aggregationSumAny.Add","aggregationSumCount.Add","aggregationUint.Add","aggregationUint.Max","aggregationUint.Min","argError.Error","assembler.Fn_JSON_KEYS","assembler.Fn_REGEXP_REPLACE_slow","assembler.PushLiteral","astCompiler.translateIntroducerExpr","errJSONType.Error","evalBytes.Hash"],"path":"vitess.io/vitess/go/vt/vtgate/evalengine"}],"custom_ranges":[{"events":[{"introduced":"0"},{"fixed":"17.0.7"},{"introduced":"18.0.0"},{"fixed":"18.0.5"},{"introduced":"19.0.0"},{"fixed":"19.0.4"}],"type":"ECOSYSTEM"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2826.json"}}],"schema_version":"1.7.5","credits":[{"name":"@dbussink, @mattrobenolt, and @vmg"}]}