chore(deps): update dependency json-repair to v0.60.1 [security]#217
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency json-repair to v0.60.1 [security]#217renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.59.5→0.60.1json_repair: Circular JSON Schema
$refcauses unbounded CPU DoSGHSA-xf7x-x43h-rpqh
More information
Details
Circular JSON Schema
$refcauses unbounded CPU DoS injson_repairSummary
SchemaRepairer.resolve_schema()injson_repairfollows JSON Schema$refpointers in an unboundedwhileloop without any cycle detection. An attacker who can supply a schema containing a self-referencing$ref(e.g., via the demo Flask API or any application that passes untrusted input toloads(..., schema=...)), can cause a worker process to spin indefinitely on CPU, resulting in a complete denial of service. No authentication is required against the public demo API. The vulnerability is confirmed reproducible at CVSS 7.5 (High).Details
SchemaRepairer.resolve_schema()atsrc/json_repair/schema_repair.py:184–190resolves$refchains using a plainwhileloop:_resolve_ref()atsrc/json_repair/schema_repair.py:654–665always resolves references relative toself.root_schema, which is initialised from the caller-supplied schema (src/json_repair/schema_repair.py:130). When the schema contains a circular reference such as:{"$ref": "#/definitions/a", "definitions": {"a": {"$ref": "#/definitions/a"}}}_resolve_ref()returns the samedictobject on every iteration, so"$ref" in schema_dictis alwaysTrueand the loop never terminates.The vulnerable sink is reachable without authentication through the demo Flask API:
The only guard is a top-level
isinstance(dict, bool)check; there is no$refdepth limit, no visited-set, and no timeout enforced by the library. The full data-flow path is:docs/app.py:14—request.get_json()reads the attacker-controlled HTTP body.docs/app.py:21–23—schemais extracted; onlydict/booltype check applied.docs/app.py:33–36— schema is forwarded verbatim toloads().src/json_repair/json_repair.py:145–148—schema_from_input(schema)instantiatesSchemaRepairer.src/json_repair/json_repair.py:160—repairer.is_valid()callsresolve_schema(), triggering the infinite loop.src/json_repair/schema_repair.py:184–190— unboundedwhile "$ref" in schema_dictloop (sink).src/json_repair/schema_repair.py:654–665—_resolve_ref()returns the same object on every call.Recommended fix:
PoC
Environment setup:
Alternatively, use the provided Docker image:
docker build -t vuln001-json-repair -f vuln-001/Dockerfile . docker run --rm vuln001-json-repairHTTP attack request (demo API):
Direct library attack:
Observed results (from Docker-based dynamic reproduction):
{"type":"object","properties":{"name":{"type":"string"}}}): completed in 0.261 s.$refschema): timed out after 5.01 s — process killed; infinite loop confirmed.Impact
This is an unauthenticated denial-of-service vulnerability. Any single HTTP request carrying a circular
$refschema hangs the Flask worker process indefinitely, making the service unavailable to all other users until the process is killed or the server is restarted. Because the public demo API (docs/app.py) accepts theschemafield from the request body without authentication and passes it directly toloads(), remote attackers can exploit this with a trivial one-liner.Beyond the demo API, any application that exposes
json_repair.loads(..., schema=<user-controlled>)to untrusted callers is equally affected. The vulnerability requires no special privileges, produces no useful output for the attacker (confidentiality and integrity are unaffected), and is deterministically reproducible.Reproduction artifacts
Dockerfilepoc.pySeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
json_repair: Circular JSON Schema
$refcauses unbounded CPU DoSGHSA-xf7x-x43h-rpqh
More information
Details
Circular JSON Schema
$refcauses unbounded CPU DoS injson_repairSummary
SchemaRepairer.resolve_schema()injson_repairfollows JSON Schema$refpointers in an unboundedwhileloop without any cycle detection. An attacker who can supply a schema containing a self-referencing$ref(e.g., via the demo Flask API or any application that passes untrusted input toloads(..., schema=...)), can cause a worker process to spin indefinitely on CPU, resulting in a complete denial of service. No authentication is required against the public demo API. The vulnerability is confirmed reproducible at CVSS 7.5 (High).Details
SchemaRepairer.resolve_schema()atsrc/json_repair/schema_repair.py:184–190resolves$refchains using a plainwhileloop:_resolve_ref()atsrc/json_repair/schema_repair.py:654–665always resolves references relative toself.root_schema, which is initialised from the caller-supplied schema (src/json_repair/schema_repair.py:130). When the schema contains a circular reference such as:{"$ref": "#/definitions/a", "definitions": {"a": {"$ref": "#/definitions/a"}}}_resolve_ref()returns the samedictobject on every iteration, so"$ref" in schema_dictis alwaysTrueand the loop never terminates.The vulnerable sink is reachable without authentication through the demo Flask API:
The only guard is a top-level
isinstance(dict, bool)check; there is no$refdepth limit, no visited-set, and no timeout enforced by the library. The full data-flow path is:docs/app.py:14—request.get_json()reads the attacker-controlled HTTP body.docs/app.py:21–23—schemais extracted; onlydict/booltype check applied.docs/app.py:33–36— schema is forwarded verbatim toloads().src/json_repair/json_repair.py:145–148—schema_from_input(schema)instantiatesSchemaRepairer.src/json_repair/json_repair.py:160—repairer.is_valid()callsresolve_schema(), triggering the infinite loop.src/json_repair/schema_repair.py:184–190— unboundedwhile "$ref" in schema_dictloop (sink).src/json_repair/schema_repair.py:654–665—_resolve_ref()returns the same object on every call.Recommended fix:
PoC
Environment setup:
Alternatively, use the provided Docker image:
docker build -t vuln001-json-repair -f vuln-001/Dockerfile . docker run --rm vuln001-json-repairHTTP attack request (demo API):
Direct library attack:
Observed results (from Docker-based dynamic reproduction):
{"type":"object","properties":{"name":{"type":"string"}}}): completed in 0.261 s.$refschema): timed out after 5.01 s — process killed; infinite loop confirmed.Impact
This is an unauthenticated denial-of-service vulnerability. Any single HTTP request carrying a circular
$refschema hangs the Flask worker process indefinitely, making the service unavailable to all other users until the process is killed or the server is restarted. Because the public demo API (docs/app.py) accepts theschemafield from the request body without authentication and passes it directly toloads(), remote attackers can exploit this with a trivial one-liner.Beyond the demo API, any application that exposes
json_repair.loads(..., schema=<user-controlled>)to untrusted callers is equally affected. The vulnerability requires no special privileges, produces no useful output for the attacker (confidentiality and integrity are unaffected), and is deterministically reproducible.Reproduction artifacts
Dockerfilepoc.pySeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.