Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.03.04.00.

Affected Packages

Go github.com/facebook/fbthrift

Affected versions: 0 (fixed in 0.31.1-0.20190225164308-c461c1bd1a3e)

Related CVEs

CVE-2019-3564

Key Information

GHSA ID

GHSA-x4rg-4545-4w7w

Published

February 15, 2022 1:57 AM

Last Modified

November 3, 2021 2:59 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/facebook/fbthrift

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.