go-zserio has Unbounded Memory Allocation for All Platforms

GHSA-xhj4-g6w8-2xjw

Published Apr 24, 2026 · Modified May 5, 2026

Description

Impact

When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate large amounts of memory.

Patches

Please apply this commit.

Workarounds

Do not accept zserio data from non-trusted sources.
Use secure transportation protocols (like TLS).

References

WEB https://github.com/woven-by-toyota/go-zserio/security/advisories/GHSA-xhj4-g6w8-2xjw
WEB https://github.com/woven-by-toyota/go-zserio/commit/39ef1decde7e9766207794d396018776b33c6e45
PACKAGE https://github.com/woven-by-toyota/go-zserio

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes