CVE-2022-2529 - Vulnerability Details - OpenCVE

sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00811.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Cloudflare	Goflow

Configuration 1 [-]

cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-7068	sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.
Github GHSA	GHSA-9rpw-2h95-666c	Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package

Fixes

Solution

Upgrade goflow at least to version 3.4.4

Workaround

Make sure that the goflow collector is not publicly reachable.

References

Link	Providers
https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c

History

Tue, 20 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2022-09-30T10:45:11.000Z

Updated: 2025-05-20T16:03:07.474Z

Reserved: 2022-07-25T00:00:00.000Z

Link: CVE-2022-2529

Vulnrichment

Updated: 2024-08-03T00:39:08.043Z

NVD

Status : Modified

Published: 2022-09-30T11:15:09.353

Modified: 2024-11-21T07:01:11.843

Link: CVE-2022-2529

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Go"], "product": "goflow", "vendor": "Cloudflare", "versions": [{"lessThan": "3.4.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Justin Timperio, Chase Hiltz"}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-30T10:45:11.000Z", "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "solutions": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "title": "Multiple DoS Attack Vectors in sflow packet handling", "workarounds": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cloudflare.com", "ID": "CVE-2022-2529", "STATE": "PUBLIC", "TITLE": "Multiple DoS Attack Vectors in sflow packet handling"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "goflow", "version": {"version_data": [{"platform": "Go", "version_affected": "<", "version_value": "3.4.4"}]}}]}, "vendor_name": "Cloudflare"}]}}, "credit": [{"lang": "eng", "value": "Justin Timperio, Chase Hiltz"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "refsource": "MISC", "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}, "solution": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "source": {"discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.043Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-20T16:02:58.308388Z", "id": "CVE-2022-2529", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T16:03:07.474Z"}}]}, "cveMetadata": {"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "assignerShortName": "cloudflare", "cveId": "CVE-2022-2529", "datePublished": "2022-09-30T10:45:11.000Z", "dateReserved": "2022-07-25T00:00:00.000Z", "dateUpdated": "2025-05-20T16:03:07.474Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.043Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-20T16:02:58.308388Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T16:03:03.524Z"}}], "cna": {"title": "Multiple DoS Attack Vectors in sflow packet handling", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Justin Timperio, Chase Hiltz"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Cloudflare", "product": "goflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.4.4", "versionType": "custom"}], "platforms": ["Go"]}], "solutions": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "references": [{"url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "tags": ["x_refsource_MISC"]}], "workarounds": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2022-09-30T10:45:11.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Justin Timperio, Chase Hiltz"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"platform": "Go", "version_value": "3.4.4", "version_affected": "<"}]}, "product_name": "goflow"}]}, "vendor_name": "Cloudflare"}]}}, "solution": [{"lang": "en", "value": "Upgrade goflow at least to version 3.4.4"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "name": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}, {"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "work_around": [{"lang": "en", "value": "Make sure that the goflow collector is not publicly reachable."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-2529", "STATE": "PUBLIC", "TITLE": "Multiple DoS Attack Vectors in sflow packet handling", "ASSIGNER": "cna@cloudflare.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-2529", "state": "PUBLISHED", "dateUpdated": "2025-05-20T16:03:07.474Z", "dateReserved": "2022-07-25T00:00:00.000Z", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "datePublished": "2022-09-30T10:45:11.000Z", "assignerShortName": "cloudflare"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:goflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA4C3B2C-FA7D-4659-97FF-880D574C12B4", "versionEndExcluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service."}, {"lang": "es", "value": "El paquete de decodificaci\u00f3n sflow no emplea suficiente sanitizaci\u00f3n de paquetes, lo que puede llevar a un ataque de denegaci\u00f3n de servicio. Los atacantes pueden elaborar paquetes malformados haciendo que el proceso consuma grandes cantidades de memoria, lo que provoca una denegaci\u00f3n de servicio"}], "id": "CVE-2022-2529", "lastModified": "2024-11-21T07:01:11.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cna@cloudflare.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-30T11:15:09.353", "references": [{"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/goflow/security/advisories/GHSA-9rpw-2h95-666c"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-400"}], "source": "cna@cloudflare.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}