CVE-2021-3822
ReDoS vulnerability in jsoneditor (npm)
What is CVE-2021-3822 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the `jsoneditor` package, specifically within the `getInnerText` function. Attackers can craft a malicious element input that causes the application to consume excessive CPU resources. This results in a denial of service, and exploitation is relatively easy for an attacker able to provide input to the affected function.
Affected Software
Technical Details
The jsoneditor package (specifically the web-based JSON Editor tool) is vulnerable to a ReDoS attack within its getInnerText function. This function uses a regular expression that exhibits catastrophic backtracking when presented with a specially crafted input string. An attacker can provide an input element, possibly a JSON object or string, which when processed by getInnerText, causes the underlying regular expression to evaluate an excessive number of paths, leading to a significant and prolonged consumption of CPU cycles. This resource exhaustion state results in a denial of service, making the application unresponsive to legitimate requests.
What is the Impact of CVE-2021-3822?
Successful exploitation may allow attackers to disrupt service availability by causing applications to become unresponsive or consume excessive system resources, leading to a denial of service.
What is the Exploitability of CVE-2021-3822?
Exploitation requires the ability to provide a crafted element as input to the getInnerText function of the jsoneditor package. The complexity is low, as it primarily involves constructing a string that triggers the vulnerable regex. There are typically no explicit authentication or privilege requirements beyond the ability to interact with the JSON Editor's input mechanisms. This can be a remote exploit if the JSON Editor is exposed and accepts untrusted input from remote users. The primary risk factor is indeed the application's processing of untrusted user input within the jsoneditor component, making it susceptible to resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3822?
About the Fix from Resolved Security
This patch sanitizes text nodes by removing newline characters and surrounding whitespace, preventing attackers from injecting malicious content using line breaks. It fixes CVE-2021-3822 by mitigating a vulnerability where crafted input with newline characters could bypass security filters or alter page behavior, reducing the risk of cross-site scripting (XSS) attacks.
Available Upgrade Options
- jsoneditor
- <9.5.6 → Upgrade to 9.5.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e
- https://huntr.dev/bounties/1e3ed803-b7ed-42f1-a4ea-c4c75da9de73
- https://osv.dev/vulnerability/GHSA-hhfg-6hfc-rvxm
- https://nvd.nist.gov/vuln/detail/CVE-2021-3822
- https://huntr.dev/bounties/1e3ed803-b7ed-42f1-a4ea-c4c75da9de73
- https://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e
- https://github.com/josdejong/jsoneditor
What are Similar Vulnerabilities to CVE-2021-3822?
Similar Vulnerabilities: CVE-2022-21680 , CVE-2021-3777 , CVE-2021-33623 , CVE-2016-10707 , CVE-2021-23395
