x/vulndb: potential Go vuln in github.com/matrix-org/gomatrixserverlib: CVE-2024-52594

[GoVulnBot]

Advisory CVE-2024-52594 references a vulnerability in the following Go modules:

Module
github.com/matrix-org/gomatrixserverlib

Description:
Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit c4f1e01 fixes this issue. Users are advised to upgrade. Users unable to upgrade should use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-52594
• FIX: matrix-org/gomatrixserverlib@c4f1e01
• WEB: GHSA-4ff6-858j-r822

Cross references:

• github.com/matrix-org/gomatrixserverlib appears in 1 other report(s):
  • data/reports/GO-2022-0952.yaml (x/vulndb: potential Go vuln in github.com/matrix-org/gomatrixserverlib: CVE-2022-36009 #952)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/matrix-org/gomatrixserverlib
      vulnerable_at: 0.0.0-20250116181547-c4f1e01eab0d
summary: CVE-2024-52594 in github.com/matrix-org/gomatrixserverlib
cves:
    - CVE-2024-52594
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52594
    - fix: https://github.com/matrix-org/gomatrixserverlib/commit/c4f1e01eab0dd435709ad15463ed38a079ad6128
    - web: https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822
source:
    id: CVE-2024-52594
    created: 2025-01-16T20:01:14.658776299Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/643176 mentions this issue: data/reports: add GO-2025-3396