GHSA-5GJG-JGH4-GPPM

Vulnerability from github – Published: 2021-06-23 17:26 – Updated: 2026-01-23 22:35
VLAI?
Summary
Websocket requests did not call AuthenticateMethod
Details

Impact

Depending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the github.com/ecnepsnai/web package with Web Sockets that have an AuthenticateMethod.

The AuthenticateMethod is not called, and UserData will be nil in request methods. Attempts to read the UserData may result in a panic.

This issue only affects web sockets where an AuthenticateMethod is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.

Example

In the example below, one would expect that the AuthenticateMethod function would be called for each request to /example

handleOptions := web.HandleOptions{
    AuthenticateMethod: func(request *http.Request) interface{} {
        // Assume there is logic here to check for an active sessions, look at cookies or headers, etc...
        var session Session{} // Example

        return session
    },
}

server.Socket("/example", handle, handleOptions)

However, the method is not called, and therefor the UserData parameter of the request object in the handle will be nil, when it would have been expected to be the session object we returned.

Patches

Release v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.

All users of the web package should update to v1.5.2 or later.

Workarounds

You may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ecnepsnai/web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304",
      "CWE-400",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T17:41:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nDepending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the `github.com/ecnepsnai/web` package with Web Sockets that have an AuthenticateMethod.\n\nThe `AuthenticateMethod` is not called, and `UserData` will be nil in request methods. Attempts to read the `UserData` may result in a panic.\n\nThis issue only affects web sockets where an `AuthenticateMethod` is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.\n\n#### Example\n\nIn the example below, one would expect that the `AuthenticateMethod` function would be called for each request to `/example`\n\n```go\nhandleOptions := web.HandleOptions{\n\tAuthenticateMethod: func(request *http.Request) interface{} {\n\t\t// Assume there is logic here to check for an active sessions, look at cookies or headers, etc...\n\t\tvar session Session{} // Example\n\n\t\treturn session\n\t},\n}\n\nserver.Socket(\"/example\", handle, handleOptions)\n```\n\nHowever, the method is not called, and therefor the `UserData` parameter of the request object in the handle will be nil, when it would have been expected to be the `session` object we returned.\n\n### Patches\n\nRelease v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.\n\nAll users of the web package should update to v1.5.2 or later.\n\n### Workarounds\n\nYou may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.",
  "id": "GHSA-5gjg-jgh4-gppm",
  "modified": "2026-01-23T22:35:54Z",
  "published": "2021-06-23T17:26:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ecnepsnai/web/security/advisories/GHSA-5gjg-jgh4-gppm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ecnepsnai/web"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Websocket requests did not call AuthenticateMethod"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.