Vulnerability Report: Deeply Nested HJSON Objects DoS in hjson-rs #39
Description
Vulnerability Report: Deeply Nested HJSON Objects DoS in hjson-rs
Summary
A Denial of Service (DoS) vulnerability exists in hjson-rs, caused by crafted HJSON objects with deeply nested structures.
Description
An issue was discovered in the latest versions of hjson-rs that allows attackers to trigger a denial of service or other unspecified impacts via specially crafted HJSON objects with excessive nesting depth.
Although similar vulnerabilities have been fixed in other HJSON implementations (such as Java and Python), hjson-rs does not currently implement equivalent depth-limiting logic.
The relevant vulnerable functions include, but may not be limited to:
parse_valuevisit_mapparse_tfnnsSeqVisitor/MapVisitor
These functions recursively parse nested structures without enforcing a maximum recursion depth, allowing attackers to exhaust the call stack or memory, leading to DoS.
Patch / Mitigation
A similar fix has been applied in other HJSON implementations, which can be adopted in hjson-rs:
- Introduce a maximum parse depth constant (e.g.,
MAX_DEPTH = 1000). - Track the current depth during parsing.
- If the current depth exceeds
MAX_DEPTH, return an error or abort parsing.
This approach effectively prevents stack overflow or excessive resource consumption caused by deeply nested objects.
References
- HJSON Java Fix Commit
- Vulnerable patterns observed in
parse_value,visit_map,parse_tfnns,SeqVisitor, andMapVisitor.
Acknowledgments
Thanks to the security research community for identifying and documenting this class of vulnerabilities. 翻译成中文