GHSA-7gcf-g7xr-8hxj
ADVISORY - githubSummary
Summary
The public KeyValueMap serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts 1 from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through #[serde_as(as = "KeyValueMap<_>")] can be crashed by an empty inner sequence or map entry.
Details
The affected public surface includes:
- Serialization of
#[serde_as(as = "KeyValueMap<_>")]values throughserde_json::to_stringor any other Serde serializer` - Public
KeyValueMapconversions for sequence and map-backed entries`
The root cause is: The KeyValueMap serializer preallocating Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) before checking that the element actually contains the required first key field or item.
The vulnerable data/control flow is: attacker-controlled empty entry -> serde_json::to_string -> KeyValueMap<TAs>::serialize_as -> SeqAsMapSerializer::{serialize_seq,serialize_map} -> Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) -> panic
Relevant source locations:
serde_with/src/key_value_map.rs:590serde_with/src/key_value_map.rs:599serde_with/src/key_value_map.rs:613serde_with/src/key_value_map.rs:632serde_with/src/key_value_map.rs:648
PoC
/*
[dependencies]
serde = {version = "*", features = ["derive"]}
serde_with = "*"
serde_json = "*"
*/
use serde::Serialize;
use serde_with::{serde_as, KeyValueMap};
#[derive(Serialize)]
#[serde(transparent)]
struct Seq(Vec<String>);
#[serde_as]
#[derive(Serialize)]
#[serde(transparent)]
struct KVMap {
#[serde_as(as = "KeyValueMap<_>")]
foo: Vec<Seq>,
}
fn main() {
let value = KVMap {
foo: vec![Seq(Vec::new())],
};
let _ = serde_json::to_string(&value).unwrap();
}
Impact
A local attacker who can trigger serialization of attacker-controlled data through KeyValueMap can terminate the process, causing a denial of service.
Common Weakness Enumeration (CWE)
Improper Input Validation
GitHub
-