GHSA-7gcf-g7xr-8hxj
ADVISORY - githubSummary
Summary
The public KeyValueMap serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts 1 from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through #[serde_as(as = "KeyValueMap<_>")] can be crashed by an empty inner sequence or map entry.
Details
The affected public surface includes:
- Serialization of
#[serde_as(as = "KeyValueMap<_>")]values throughserde_json::to_stringor any other Serde serializer` - Public
KeyValueMapconversions for sequence and map-backed entries`
The root cause is: The KeyValueMap serializer preallocating Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) before checking that the element actually contains the required first key field or item.
The vulnerable data/control flow is: attacker-controlled empty entry -> serde_json::to_string -> KeyValueMap<TAs>::serialize_as -> SeqAsMapSerializer::{serialize_seq,serialize_map} -> Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) -> panic
Relevant source locations:
serde_with/src/key_value_map.rs:590serde_with/src/key_value_map.rs:599serde_with/src/key_value_map.rs:613serde_with/src/key_value_map.rs:632serde_with/src/key_value_map.rs:648
PoC
/*
[dependencies]
serde = {version = "*", features = ["derive"]}
serde_with = "*"
serde_json = "*"
*/
use serde::Serialize;
use serde_with::{serde_as, KeyValueMap};
#[derive(Serialize)]
#[serde(transparent)]
struct Seq(Vec<String>);
#[serde_as]
#[derive(Serialize)]
#[serde(transparent)]
struct KVMap {
#[serde_as(as = "KeyValueMap<_>")]
foo: Vec<Seq>,
}
fn main() {
let value = KVMap {
foo: vec![Seq(Vec::new())],
};
let _ = serde_json::to_string(&value).unwrap();
}
Impact
A local attacker who can trigger serialization of attacker-controlled data through KeyValueMap can terminate the process, causing a denial of service.
Common Weakness Enumeration (CWE)
Improper Input Validation
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in