{"id":"GO-2023-1772","summary":"Memory exhaustion in github.com/distribution/distribution","details":"Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.","aliases":["CVE-2023-2253","GHSA-hqxw-f8mx-cpmw"],"modified":"2026-02-04T02:36:06.103273Z","published":"2023-05-24T18:13:11Z","related":["CGA-wwpj-94w4-45fr"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-1772"},"references":[{"type":"FIX","url":"https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-hqxw-f8mx-cpmw"}],"affected":[{"package":{"name":"github.com/distribution/distribution","ecosystem":"Go","purl":"pkg:golang/github.com/distribution/distribution"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.8.2-beta.1+incompatible"}]}],"ecosystem_specific":{"imports":[{"symbols":["catalogHandler.GetCatalog"],"path":"github.com/distribution/distribution/registry/handlers"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1772.json"}}],"schema_version":"1.7.3"}