vulnerability

FreeBSD: VID-72709326-81f7-11eb-950a-00155d646401 (CVE-2021-27919): go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:N/A:P)	Mar 10, 2021	Mar 11, 2021	Dec 10, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:N/A:P)

Published

Mar 10, 2021

Added

Mar 11, 2021

Modified

Dec 10, 2025

Description

The Go project reports: The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with "../".

Solution

freebsd-upgrade-package-go

References

CVE-2021-27919
https://attackerkb.com/topics/CVE-2021-27919

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today