Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcWhwLTI1ajQtNmhxOc4ABBnm
smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables
Summary
An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.
The library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.
Proof of concept
require("smol-toml").parse("e=" + "{e=".repeat(9999) + "{}" + "}".repeat(9999))
Impact
Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors.
Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.
As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.
Patches
Version 1.3.1 offers a mechanism to limit the exploration depth before halting with a TomlError
when parsing, with a default cap of 1000. A same mechanism has been implemented for stringifying objects.
Please note that the parser will still throw an error upon such cases. It is, however, a now-controlled and documented behavior of the library.
Workarounds
Wrap all invocations of parse
and stringify
in a try/catch block.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcWhwLTI1ajQtNmhxOc4ABBnm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 days ago
Updated: 4 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-pqhp-25j4-6hq9
References:
- https://github.com/squirrelchat/smol-toml/security/advisories/GHSA-pqhp-25j4-6hq9
- https://github.com/squirrelchat/smol-toml/commit/405108ba090f0fc78f99aa2f0d6721e499b0ff27
- https://github.com/advisories/GHSA-pqhp-25j4-6hq9
Blast Radius: 0.0
Affected Packages
npm:smol-toml
Dependent packages: 8Dependent repositories: 1
Downloads: 3,580,440 last month
Affected Version Ranges: <= 1.3.0
Fixed in: 1.3.1
All affected versions: 0.1.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.3.0
All unaffected versions: