Listen to this Post
How the mentioned CVE works:
The vulnerability resides in `fio_json_parser.h` within the numeral handling block (lines 434-468). When parsing a nested JSON value starting with `i` or I, the parser jumps to the numeral label and calls fio_atol(). For bare i/I, `fio_atol` consumes zero characters, leaving tmp == pos. The code then checks `JSON_NUMERAL
` – but `JSON_NUMERAL['i']` is false, so it incorrectly accepts the value as an integer and sets `pos = tmp` without advancing the pointer. Because the parser remains nested (<code>parser->depth > 0</code>), the outer loop repeats with the same <code>pos</code>, causing an infinite spin. The same logic exists in iodine’s vendored copy. Payloads like <code>[i</code>, <code>{"a":i</code>, <code>[""i</code>, and `{"a":""i` trigger the hang, as the parser tolerates missing commas and treats the trailing `i` as a new value. The process pegs one CPU core at 100% and never returns a parse error. No memory corruption occurs, only denial of service via CPU exhaustion.
<h2 style="color: blue;">DailyCVE form:</h2>
Platform: facil.io/iodine
Version: 0.7.5/0.7.6/0.7.58
Vulnerability: Infinite loop DoS
Severity: Medium
date: 2026-04-14
<h2 style="color: blue;">Prediction: Patch within two weeks</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Test for vulnerability in facil.io server
git checkout 0.7.6
make NAME=http_json_poc
./http_json_poc &
printf '[i' | curl -H 'Content-Type: application/json' -X POST --data-binary @- http://127.0.0.1:3000/
Observe CPU spin with 'top' or 'htop'
top -p $(pgrep http_json_poc)
Test iodine Ruby gem
cat > poc.rb << 'EOF'
require "iodine"
APP = proc { |env| Iodine::JSON.parse(env["rack.input"].read); [200,{},["ok"]] }
Iodine.listen port:3000, handler: APP; Iodine.threads=1; Iodine.start
EOF
ruby poc.rb &
printf '[""i' | curl -X POST --data-binary @- http://127.0.0.1:3000/
Exploit:
Send HTTP POST with `Content-Type: application/json` and body `[i` (or {"a":i, [""i, {"a":""i). The server thread hangs indefinitely at `http_parse_body` or Iodine::JSON.parse. No response is returned, and one CPU core stays at 100% utilization. Repeated requests exhaust all worker threads.
Protection from this CVE:
Apply patch adding `tmp == pos` check in `fio_json_parser.h` numeral handling. Reject zero-consumption numeric parses before accepting token. For iodine, patch `ext/iodine/fio_json_parser.h` identically. Workaround: validate JSON externally (e.g., with a strict JSON parser) before passing to vulnerable functions, or filter requests containing bare i/I at array/object start.
Impact:
Denial of service – single crafted request ties up one worker thread at 100% CPU. For multi-threaded servers, attacker can send multiple requests to exhaust all workers, rendering service unavailable. No data leakage or integrity loss. High availability impact for exposed JSON endpoints.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

