CVE-2013-10005: 
vulnerability analysis and mitigation

The vulnerability (CVE-2013-10005) affects the go-socks package, specifically impacting versions before v0.0.0-20130808000456-233bccbb1abe. The issue involves the RemoteAddr and LocalAddr methods on the returned net.Conn, which may call themselves recursively, resulting in an infinite loop that causes the program to crash due to a stack overflow (Go Packages). The vulnerability was discovered and fixed in 2013, with the fix being implemented through a commit to the btcsuite/go-socks repository.

The vulnerability stems from a recursive call pattern in the proxiedConn implementation where both LocalAddr and RemoteAddr methods would call themselves instead of accessing the underlying connection's methods. This creates an infinite recursion scenario, eventually leading to stack overflow. The CVSS v3.1 score for this vulnerability is 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD). The vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop').

When exploited, this vulnerability results in a program crash due to stack overflow, effectively causing a denial of service condition. The impact is limited to availability, with no direct effects on confidentiality or integrity of the system (NVD).

The vulnerability was fixed by modifying the LocalAddr and RemoteAddr methods to correctly reference the underlying connection's methods (c.conn.LocalAddr() and c.conn.RemoteAddr()) instead of calling themselves. Users should upgrade to version v0.0.0-20130808000456-233bccbb1abe or later to resolve this issue (GitHub Commit).