CVE-2024-37298

Name	CVE-2024-37298
Description	gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1075973

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-gorilla-schema (PTS)	sid, trixie, bookworm	1.2.0-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-github-gorilla-schema	source	(unstable)	(unfixed)			1075973

Notes

[bookworm] - golang-github-gorilla-schema <no-dsa> (Minor issue)
https://github.com/gorilla/schema/security/advisories/GHSA-3669-72x9-r9p3
https://github.com/gorilla/schema/commit/cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff (v1.4.1)