GHSA-7gcf-g7xr-8hxj

ADVISORY - github

Summary

Summary

The public KeyValueMap serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts 1 from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through #[serde_as(as = "KeyValueMap<_>")] can be crashed by an empty inner sequence or map entry.

Details

The affected public surface includes:

  • Serialization of #[serde_as(as = "KeyValueMap<_>")] values through serde_json::to_string or any other Serde serializer`
  • Public KeyValueMap conversions for sequence and map-backed entries`

The root cause is: The KeyValueMap serializer preallocating Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) before checking that the element actually contains the required first key field or item.

The vulnerable data/control flow is: attacker-controlled empty entry -> serde_json::to_string -> KeyValueMap<TAs>::serialize_as -> SeqAsMapSerializer::{serialize_seq,serialize_map} -> Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) -> panic

Relevant source locations:

  • serde_with/src/key_value_map.rs:590
  • serde_with/src/key_value_map.rs:599
  • serde_with/src/key_value_map.rs:613
  • serde_with/src/key_value_map.rs:632
  • serde_with/src/key_value_map.rs:648

PoC

/*
[dependencies]
serde = {version = "*", features = ["derive"]}
serde_with = "*"
serde_json = "*"
*/

use serde::Serialize;
use serde_with::{serde_as, KeyValueMap};

#[derive(Serialize)]
#[serde(transparent)]
struct Seq(Vec<String>);

#[serde_as]
#[derive(Serialize)]
#[serde(transparent)]
struct KVMap {
    #[serde_as(as = "KeyValueMap<_>")]
    foo: Vec<Seq>,
}

fn main() {
    let value = KVMap {
        foo: vec![Seq(Vec::new())],
    };
    let _ = serde_json::to_string(&value).unwrap();
}

Impact

A local attacker who can trigger serialization of attacker-controlled data through KeyValueMap can terminate the process, causing a denial of service.

Common Weakness Enumeration (CWE)

ADVISORY - github

Improper Input Validation


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in