Listen to this Post
This CVE exploits the disparity in memory usage between a serialized JSON payload and its deserialized in-memory representation. An attacker can craft a malicious JSON object, akin to a zip bomb, that is small in its serialized form but expands dramatically—by a factor of up to 35—when decoded into a Go `map
interface{}` by the OpenBao server. This deserialization happens early in the request handling process, before authentication. By sending this payload, an attacker can exhaust the server's memory (OOM crash), bypassing the `max_request_size` protection. The attack is unauthenticated, making it highly effective for Denial of Service. Additionally, specific JSON structures with numerous strings can cause high CPU consumption in the audit subsystem.
Platform: OpenBao
Version: Pre-remediation
Vulnerability: JSON Bomb
Severity: Critical
<h2 style="color: blue;">date: 2023</h2>
<h2 style="color: blue;">Prediction: 2023-10-15</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
curl -X POST http://openbao:8200/v1/sys/audit -H "X-Vault-Token: $token" -d '{"type":"file", "options": {"file_path":"/vault/audit/audit.log"}}'
var data map[bash]interface{}
if err := json.Unmarshal(body, &data); err != nil {
return nil, err
}
How Exploit:
Craft small JSON file.
Target `/v1/sys/audit` endpoint.
Send unauthenticated POST request.
Trigger memory exhaustion.
Protection from this CVE
Set `max_request_json_memory`.
Set `max_request_json_strings`.
Update OpenBao version.
Impact:
Unauthenticated Denial of Service.
Bypasses `max_request_size`.
High CPU consumption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
