CVE-2024-10846 – github.com/compose-spec/compose-go/v2

Package

Manager: go
Name: github.com/compose-spec/compose-go/v2
Vulnerable Version: >=2.1.0 <2.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00036 pctl0.09136

Details

Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop ### Impact The `compose-go` library component in versions `v2.10-v2.4.0` allows an authorized user who sends malicious YAML payloads to cause the `compose-go` to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions ` v2.27.0` to `v2.29.7` included ### Patches compose-go `v2.24.1` fixed the issue ### Workarounds There isn't any known workaround. ### References * https://github.com/docker/compose/issues/12235 * https://github.com/compose-spec/compose-go/pull/703 * https://github.com/compose-spec/compose-go/pull/618 * https://github.com/docker/compose/commit/d239f0f3187a2ed5404c61f83bd5e995c81600ff#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R10

Metadata

Created: 2025-01-21T20:24:02Z
Modified: 2025-04-28T14:09:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-36gq-35j3-p9r9/GHSA-36gq-35j3-p9r9.json
CWE IDs: ["CWE-20", "CWE-400"]
Alternative ID: GHSA-36gq-35j3-p9r9
Finding: F067
Auto approve: 1