CVE-2017-16113
Denial of Service vulnerability in parsejson (npm)
What is CVE-2017-16113 About?
The `parsejson` package is vulnerable to a regular expression denial of service (ReDoS) when processing untrusted user input. This flaw can cause the application to become unresponsive by consuming excessive CPU resources. Exploitation is typically remote and relies on sending specially crafted input, making it relatively easy.
Affected Software
Technical Details
Affected versions of the parsejson package are susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability. This occurs when untrusted user input is passed to the package's parsing functions. The regular expressions used internally by parsejson exhibit catastrophic backtracking behavior when confronted with specific, maliciously crafted input strings. When such an input is processed, the regex engine enters an extremely inefficient state, consuming an exponential amount of CPU time relative to the input length. This resource exhaustion blocks the Node.js event loop, preventing the application from processing other requests and effectively rendering it unresponsive, leading to a denial of service. The vulnerability exists due to the design of the regexes and the package's inability to handle complex, potentially adversarial input efficiently.
What is the Impact of CVE-2017-16113?
Successful exploitation may allow attackers to degrade application performance or cause temporary unresponsiveness, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2017-16113?
Exploitation of this vulnerability requires an attacker to provide specially crafted user input to an application that uses the parsejson package. The complexity of crafting the input for a ReDoS attack can vary but is generally considered moderate, requiring an understanding of regex behavior. No authentication or specific privileges are required for an attacker to submit this input, assuming the application accepts external data. The attack is remote, as the malicious input can be sent over a network connection to the server. The primary risk factor is any application that directly uses parsejson for external JSON parsing without prior sanitization or validation of the input string.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16113?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-q75g-2496-mxpp
- https://nvd.nist.gov/vuln/detail/CVE-2017-16113
- https://github.com/get/parsejson/issues/4
- https://www.npmjs.com/advisories/528
- https://github.com/get/parsejson/issues/4
- https://nodesecurity.io/advisories/528
- https://github.com/advisories/GHSA-q75g-2496-mxpp
What are Similar Vulnerabilities to CVE-2017-16113?
Similar Vulnerabilities: CVE-2017-16137 , CVE-2017-1000189 , CVE-2018-3720 , CVE-2018-12115 , CVE-2020-28280
