chore(deps): Update module github.com/apache/thrift to v0.23.0 [SECURITY] (main)#21777
Open
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
Open
Conversation
…ITY] | datasource | package | from | to | | ---------- | ------------------------ | ------- | ------- | | go | github.com/apache/thrift | v0.22.0 | v0.23.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: int32 multiplication overflow bypasses protocol size check
- Replaced int32 minimum-size multiplications with an int64 element-count threshold check so oversized collections are rejected before overflow can occur.
Or push these changes by commenting:
@cursor push 0f1d5da180
Preview (0f1d5da180)
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go b/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go
@@ -356,8 +356,7 @@
return
}
minElemSize := p.getMinSerializedSize(kType) + p.getMinSerializedSize(vType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
@@ -382,8 +381,7 @@
return
}
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
@@ -409,8 +407,7 @@
return
}
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go b/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go
@@ -499,8 +499,7 @@
valueType, _ = p.getTType(tCompactType(keyAndValueType & 0xf))
minElemSize := p.getMinSerializedSize(keyType) + p.getMinSerializedSize(valueType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
@@ -534,8 +533,7 @@
}
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := int32(size) * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(int64(size), minElemSize, p.cfg)
if err != nil {
return
}
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go b/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go
@@ -332,6 +332,26 @@
return nil
}
+func checkMinSerializedSizeForProtocol(size int64, minElemSize int32, cfg *TConfiguration) error {
+ if size < 0 {
+ return NewTProtocolExceptionWithType(
+ NEGATIVE_SIZE,
+ fmt.Errorf("negative size: %d", size),
+ )
+ }
+ maxMessageSize := int64(cfg.GetMaxMessageSize())
+ if minElemSize > 0 {
+ maxMessageSize /= int64(minElemSize)
+ }
+ if size > maxMessageSize {
+ return NewTProtocolExceptionWithType(
+ SIZE_LIMIT,
+ fmt.Errorf("size exceeded max allowed: %d", size),
+ )
+ }
+ return nil
+}
+
type tTransportFactoryConf struct {
delegate TTransportFactory
cfg *TConfiguration
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go b/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go
@@ -317,8 +317,7 @@
size = int(iSize)
minElemSize := p.getMinSerializedSize(keyType) + p.getMinSerializedSize(valueType)
- totalMinSize := int32(iSize) * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(iSize, minElemSize, p.cfg)
if err != nil {
return keyType, valueType, 0, err
}
@@ -498,8 +497,7 @@
size = int(nSize)
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := int32(nSize) * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkMinSerializedSizeForProtocol(nSize, minElemSize, p.cfg)
if err != nil {
return elemType, 0, err
}You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 902d2e3. Configure here.
| err = checkSizeForProtocol(size32, p.cfg) | ||
| minElemSize := p.getMinSerializedSize(kType) + p.getMinSerializedSize(vType) | ||
| totalMinSize := size32 * minElemSize | ||
| err = checkSizeForProtocol(totalMinSize, p.cfg) |
There was a problem hiding this comment.
int32 multiplication overflow bypasses protocol size check
High Severity
The computation totalMinSize := size32 * minElemSize uses int32 arithmetic, which silently wraps on overflow. A crafted size32 (e.g., 536870912 with minElemSize of 8 for DOUBLE) overflows to 0, passing checkSizeForProtocol. The old code checked size32 directly against maxMessageSize and would have correctly rejected such values. This regression allows an attacker to bypass size validation and force the server to iterate over hundreds of millions of elements, causing denial of service.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 902d2e3. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.22.0→v0.23.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Apache Thrift TFramedTransport Go language implementation has an Integer Overflow or Wraparound vulnerability
CVE-2026-41602 / GHSA-wf45-q9ch-q8gh
More information
Details
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Thrift TFramedTransport Go language implementation has an Integer Overflow or Wraparound vulnerability
BIT-thrift-2026-41602 / CVE-2026-41602 / GHSA-wf45-q9ch-q8gh
More information
Details
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
apache/thrift (github.com/apache/thrift)
v0.23.0: Version 0.23.0Compare Source
Please head over to the official release download source:
http://thrift.apache.org/download
The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.