CVE-2022-32149 is a high-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the golang.org/x/text/language package, specifically its ParseAcceptLanguage function. This function is responsible for parsing the Accept-Language HTTP header, which clients use to indicate language preferences. The vulnerability arises because an attacker can craft a maliciously complex or large Accept-Language header that causes the parsing routine to consume excessive CPU resources and time, leading to a denial of service (DoS) condition. The vulnerability does not impact confidentiality or integrity but directly affects availability by making the service unresponsive or significantly degraded. The CVSS 3.1 score of 7.5 reflects this high impact on availability with no required privileges or user interaction, and it can be exploited remotely over the network. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and poses a risk to any application or service using the affected golang.org/x/text/language package to process HTTP headers. Since golang.org/x/text is a widely used Go language library for text and language processing, many web servers, APIs, and microservices implemented in Go may be vulnerable if they utilize this package without mitigation. The lack of available patches or updates in the provided data suggests that users should verify the presence of fixes or consider workarounds to mitigate the risk.

For European organizations, this vulnerability can lead to service disruptions, particularly for web-facing applications and APIs that rely on Go's text/language package for HTTP header parsing. Denial of service attacks exploiting this flaw could degrade customer-facing services, internal tools, or critical infrastructure components, resulting in operational downtime and potential reputational damage. Sectors such as finance, healthcare, government, and e-commerce, which often deploy Go-based microservices for performance and scalability, may be particularly impacted. Additionally, organizations with strict availability requirements under regulations like the EU NIS Directive could face compliance challenges if services are disrupted. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks from remote adversaries, including cybercriminals or hacktivists targeting European entities. Although no data breach risk exists, the denial of service could indirectly affect business continuity and customer trust.

European organizations should first identify all applications and services using the golang.org/x/text/language package, especially those parsing Accept-Language headers. Immediate mitigation steps include: 1) Updating to the latest patched version of the golang.org/x/text package once available from the official Go repositories or vendor patches. 2) Implementing input validation and rate limiting on HTTP headers at the application or web server level to detect and block suspiciously large or malformed Accept-Language headers before they reach the vulnerable parser. 3) Employing Web Application Firewalls (WAFs) with custom rules to filter out malicious header patterns. 4) Monitoring application performance and logs for unusual spikes in CPU usage or parsing delays indicative of exploitation attempts. 5) Considering fallback or alternative parsing libraries if patches are delayed. 6) Conducting penetration testing and code reviews focused on header parsing logic to ensure no similar resource exhaustion vectors exist. These targeted measures go beyond generic advice by focusing on proactive detection, containment, and patch management specific to this vulnerability.