CVE-2021-23351

CVE-2021-23351 is a medium-severity vulnerability in Go-proxyproto Project Go-proxyproto with a CVSS 3.x base score of 4.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.

Key facts

Description

The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code - and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk here is small, because only trusted sources should be allowed to send proxy protocol headers.

Frequently asked questions

What is CVE-2021-23351?
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code - and create a DoS. This can be exploited by sending a stream starting with PROXY and continuing to send data (which does not contain a newline) until the target stops acknowledging. The risk here is small, because only trusted sources should be allowed to send proxy protocol headers.
How severe is CVE-2021-23351?
CVE-2021-23351 has a CVSS 3.x base score of 4.4, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2021-23351 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (77th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-23351?
CVE-2021-23351 primarily affects Go-proxyproto Project Go-proxyproto. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-23351?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-23351 published?
CVE-2021-23351 was published on 2021-03-08 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Go-proxyproto Project Go-proxyproto

All CVEs affecting Go-proxyproto Project Go-proxyproto →