AIKIDO-2024-10228
github.com/bogdanfinn/tls-client is vulnerable to Race Condition
34
Low Risk
This Affects:
github.com/bogdanfinn/tls-clientTL;DR
Affected versions of the package are vulnerable to a race condition caused by concurrent execution using a shared resource with improper synchronization. The issue arises when setting a proxy to the client instance quickly after implementing the ability to define CONNECT headers. When a new proxy is set, the connectDialer writes proxy authentication credentials to the DefaultHeader map. This causes issues because, unlike previous versions that spawned a new header map each time, the same connectHeaders map is used in the latest update. Since concurrent map writes are not supported in Go, rapid proxy changes can eventually cause a panic due to multiple threads attempting to write to the same map simultaneously.
Who does this affect?
You are affected if you are using the vulnerable version and you have defined CONNECT headers.
Background info
github.com/bogdanfinn/tls-client is vulnerable to Race Condition in versions 1.7.7 - 1.7.7.
How to fix this
Upgrade the github.com/bogdanfinn/tls-client library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant