CVE-2021-42836
ReDoS vulnerability in gjson (Go)
What is CVE-2021-42836 About?
The GJSON library up to version 1.9.2 is susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability. This flaw allows an attacker to cause resource exhaustion and potentially a denial of service by providing specially crafted JSON input. The exploitation is relatively easy as it only requires sending malicious JSON.
Affected Software
Technical Details
The vulnerability in GJSON <= 1.9.2 is a ReDoS, stemming from an inefficient regular expression used during JSON parsing. An attacker can craft a JSON input string that, when processed by the vulnerable regular expression, causes it to exhibit catastrophic backtracking. This leads to an exponential increase in processing time relative to the input length. Consequently, parsing a relatively small, specially crafted JSON string can consume excessive CPU resources, rendering the application unresponsive and effectively causing a denial of service for legitimate users.
What is the Impact of CVE-2021-42836?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness, resource exhaustion, and service unavailability.
What is the Exploitability of CVE-2021-42836?
Exploitation complexity is low, requiring only the creation of a specially crafted JSON input. No authentication or specific privileges are needed, as the attack targets the parsing logic itself. It is usually a remote vulnerability, where an attacker submits the malicious JSON through an application API endpoint that consumes JSON. The primary constraint is the application's use of the vulnerable GJSON library to process untrusted input. Risk factors are high for applications that expose JSON parsing functionality to external or untrusted users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-42836?
About the Fix from Resolved Security
The patch introduces the matchLimit function in place of the unbounded match.Match when performing wildcard and pattern matching. This change mitigates potential ReDoS attacks by limiting the computational complexity of pattern matches, thereby fixing CVE-2021-42248, which allowed attackers to trigger excessive CPU usage using crafted inputs that exploited unchecked wildcards or regex-like patterns. The enforced limit ensures that matching with complex patterns now completes in a controlled, predictable amount of time.
Available Upgrade Options
- github.com/tidwall/gjson
- <1.9.3 → Upgrade to 1.9.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96
- https://github.com/tidwall/gjson/issues/236
- https://pkg.go.dev/vuln/GO-2021-0265
- https://github.com/tidwall/gjson/issues/237
- https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3
- https://nvd.nist.gov/vuln/detail/CVE-2021-42836
- https://github.com/tidwall/gjson/issues/236
- https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96
- https://github.com/tidwall/gjson
- https://osv.dev/vulnerability/GHSA-ppj4-34rq-v8j9
What are Similar Vulnerabilities to CVE-2021-42836?
Similar Vulnerabilities: CVE-2017-1000049 , CVE-2019-10744 , CVE-2020-8260 , CVE-2021-23336 , CVE-2021-3807
