Releases9
Frequency9 months 2 weeks
Last Release
Stars1.51K
Package gorilla/schema fills a struct with form values.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
7.5 HIGH

gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

>= 2.0.0, < 2.5.1, < 1.13.15.4 MEDIUM3.5 LOW

The schema (aka Embedding schema.org vocabulary) extension before 1.13.1 and 2.x before 2.5.1 for TYPO3 allows XSS.