CVE-2023-37475: 
NixOS vulnerability analysis and mitigation

A well-crafted string passed to avro's github.com/hamba/avro/v2.Unmarshal() can trigger a fatal error: runtime: out of memory which is unrecoverable and can cause denial of service of the consumer of avro. The vulnerability affects all versions prior to v2.13.0 of the Hamba avro package, which is a Go lang encoder/decoder implementation of the avro codec specification (GitHub Advisory).

The root cause of the vulnerability lies in how avro uses part of the input to Unmarshal() to determine the size when creating a new slice. An attacker can provide specially crafted input that causes the application to attempt to allocate an excessive amount of memory, leading to an unrecoverable out-of-memory condition. The issue was fixed in commit b4a402f4 which was included in release version 2.13.0. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory, NVD).

Any application using the avro Unmarshalling routine that accepts untrusted input is affected. When exploited, the vulnerability allows an attacker to crash the running application and cause denial of service by consuming all available memory (GitHub Advisory).

Users are advised to upgrade to version 2.13.0 or later which includes the fix. The patch introduces a Config.MaxByteSliceSize parameter that restricts the maximum size of bytes and string types created by the Reader, with a default maximum size of 1MiB. There are no known workarounds for this vulnerability other than upgrading (GitHub Advisory).