GHSA-xhj4-g6w8-2xjw: go-zserio has Unbounded Memory Allocation for All Platforms

April 24, 2026

When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate large amounts of memory.

References

github.com/advisories/GHSA-xhj4-g6w8-2xjw
github.com/woven-by-toyota/go-zserio
github.com/woven-by-toyota/go-zserio/commit/39ef1decde7e9766207794d396018776b33c6e45
github.com/woven-by-toyota/go-zserio/security/advisories/GHSA-xhj4-g6w8-2xjw

Code Behaviors & Features

Detect and mitigate GHSA-xhj4-g6w8-2xjw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →