HostnameError

HIGH (7.5) No Patch (11 days)
denial-of-servicedns-cachegonethttp

Threat Intelligence

Low Risk
EPSS Score: 0.02% chance of exploitation (percentile: 3%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The HostnameError is a vulnerability in Go's net/http package that allows an attacker to print out all hosts on the system by constructing an error string with repeated string concatenation. This can lead to excessive resource consumption if a malicious actor provides a certificate, causing a denial-of-service (DoS) attack.

Am I affected?

Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Packages

go: github.com/golang/go

Affected Products

The Go Team / Go

How to fix

Concrete steps:

  • Upgrade to Go 1.18 or later: https://golang.org/doc/go1.18#release-notes
  • Apply the patch from issue #76445 on go.dev: https://go.dev/issue/76445

Immediate mitigations:
- Set net.DNSCacheTimeout to a low value (e.g., 0) in your Go application's configuration.
- Disable DNS caching by setting net.DNSCacheTimeout to -1.
- Use the dns.Client method with the NoCache option enabled.

References