### Impact
The sflow decode package prior to version 3.4.4 does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume huge amounts of memory resulting in a denial of service.

### Specific Go Packages Affected
github.com/cloudflare/goflow/v3/decoders/sflow

### Patches
Version 3.4.4 contains patches fixing this.

### Workarounds
A possible workaround is to not have your goflow collector publicly reachable.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [goflow repo](https://github.com/cloudflare/goflow)
* Email us [netdev[@]cloudflare.com ](mailto:[email protected])

Affected Packages

Go github.com/cloudflare/goflow/v3

Affected versions: 0 (fixed in 3.4.4)

Related CVEs

CVE-2022-2529

Key Information

GHSA ID

GHSA-9rpw-2h95-666c

Published

October 1, 2022 3:52 PM

Last Modified

October 2, 2023 11:20 AM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/cloudflare/goflow/v3

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.