Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Dear xstream maintainers,

Multiple bugs(Stackoverflows) were found during fuzzing by Jazzer in xstream. We would like to provide you with access to the bugs at Google OSS-Fuzz before they get publicly disclosed.

What do we need from you?

We need an email address that is associated with a Google Account as per Accept new projects. In the past we have already contacted you during the onboarding of your project, but the request was rejected or no email was shared with us.

What do you get by sharing your email address?

When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. Each finding will have a crashing input that you can use to easily reproduce the bug.

Attention: All bug details will be made public automatically after the deadline of 90 days has exceeded or after the fix is released. For projects without maintainers we will do our best to support the disclosure process. Depending on our resources we will try to create an issues for every bug in your public issues tracker. In addition, we will request CVEs for security related vulnerabilities.

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

Thank you for your reading and hope to hear from you soon!

CVE-2022-40151: New OSS-Fuzz Findings in xstream · Issue #304 · x-stream/xstream

CVE-2022-40156

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

CVE-2022-40150

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

CVE-2022-40149

CVE-2022-40152

CVE-2022-40153

Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

CVE-2022-40154

CVE-2022-40155

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js.

CVE-2022-37260: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

**Impact**

A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

**Patches**

This vulnerability has been patched in 0.29.0.gfm.6.

You may verify the patch by running python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm.

**Workarounds**

Disable use of the autolink extension.

**References**

https://en.wikipedia.org/wiki/Time\_complexity

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in github/cmark-gfm

**Acknowledgements**

We would like to thank @Legit-Labs for reporting this vulnerability.

Tag

#dos