{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/json_repair--0.60.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["json_repair (\u003c 0.60.1)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","supply-chain","application-vulnerability","python"],"_cs_type":"advisory","_cs_vendors":["mangiucugna"],"content_html":"\u003cp\u003eAn unauthenticated attacker can exploit a critical flaw in the \u003ccode\u003ejson_repair\u003c/code\u003e library (versions prior to \u003ccode\u003e0.60.1\u003c/code\u003e) to trigger a Denial of Service (DoS) condition. The vulnerability resides in the \u003ccode\u003eSchemaRepairer.resolve_schema()\u003c/code\u003e function, which is responsible for processing JSON schema \u003ccode\u003e$ref\u003c/code\u003e pointers. This function lacks cycle detection, meaning that if an attacker supplies a schema containing a self-referencing \u003ccode\u003e$ref\u003c/code\u003e (e.g., \u003ccode\u003e{\u0026quot;$ref\u0026quot;: \u0026quot;#/definitions/a\u0026quot;, \u0026quot;definitions\u0026quot;: {\u0026quot;a\u0026quot;: {\u0026quot;$ref\u0026quot;: \u0026quot;#/definitions/a\u0026quot;}}}\u003c/code\u003e), the library enters an infinite loop. This unbounded CPU consumption by the worker process effectively halts the service, making it unavailable to other users. The vulnerability is reproducible and has been assigned a high severity CVSS score of 7.5. Applications that pass untrusted input to \u003ccode\u003ejson_repair.loads(..., schema=...)\u003c/code\u003e, including the library's public demo Flask API, are susceptible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends an HTTP POST request to a web application endpoint (e.g., \u003ccode\u003e/api/repair-json\u003c/code\u003e in the demo Flask API) that accepts user-controlled JSON input.\u003c/li\u003e\n\u003cli\u003eThe request body contains a specially crafted JSON payload that includes a \u003ccode\u003eschema\u003c/code\u003e field with a circular \u003ccode\u003e$ref\u003c/code\u003e definition, such as \u003ccode\u003e{\u0026quot;$ref\u0026quot;: \u0026quot;#/definitions/a\u0026quot;, \u0026quot;definitions\u0026quot;: {\u0026quot;a\u0026quot;: {\u0026quot;$ref\u0026quot;: \u0026quot;#/definitions/a\u0026quot;}}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application extracts the user-provided \u003ccode\u003eschema\u003c/code\u003e from the HTTP request body and passes it directly to the \u003ccode\u003ejson_repair.loads()\u003c/code\u003e function for processing.\u003c/li\u003e\n\u003cli\u003eInternally, \u003ccode\u003ejson_repair.loads()\u003c/code\u003e instantiates a \u003ccode\u003eSchemaRepairer\u003c/code\u003e object and calls its \u003ccode\u003eis_valid()\u003c/code\u003e method, which subsequently invokes the \u003ccode\u003eSchemaRepairer.resolve_schema()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003eSchemaRepairer.resolve_schema()\u003c/code\u003e, a \u003ccode\u003ewhile\u003c/code\u003e loop attempts to resolve the \u003ccode\u003e$ref\u003c/code\u003e chain without any cycle detection. Due to the circular \u003ccode\u003e$ref\u003c/code\u003e, the internal \u003ccode\u003e_resolve_ref()\u003c/code\u003e function continuously returns the same dictionary object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhile\u003c/code\u003e loop never terminates, leading to an unbounded consumption of CPU resources by the application's worker process.\u003c/li\u003e\n\u003cli\u003eThis indefinite CPU spin causes the affected worker process to hang indefinitely, making the application unresponsive and inaccessible.\u003c/li\u003e\n\u003cli\u003eThe consequence is a complete Denial of Service for other legitimate users attempting to access the service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in an unauthenticated denial-of-service condition affecting any application that utilizes the \u003ccode\u003ejson_repair\u003c/code\u003e library and exposes \u003ccode\u003ejson_repair.loads(..., schema=\u0026lt;user-controlled\u0026gt;)\u003c/code\u003e to untrusted input. A single malicious HTTP request carrying a circular \u003ccode\u003e$ref\u003c/code\u003e schema can cause a Flask worker process (or similar) to consume CPU indefinitely. This makes the service unresponsive and unavailable, requiring manual intervention such as killing the hung process or restarting the server. The attack requires no special privileges and deterministically reproduces the service disruption, though it does not affect data confidentiality or integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch the \u003ccode\u003ejson_repair\u003c/code\u003e library to version \u003ccode\u003e0.60.1\u003c/code\u003e or higher immediately to address the identified vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitize all user-supplied JSON schemas before passing them to \u003ccode\u003ejson_repair.loads()\u003c/code\u003e with the \u003ccode\u003eschema\u003c/code\u003e parameter, specifically checking for circular \u003ccode\u003e$ref\u003c/code\u003e definitions to prevent the infinite loop.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T23:43:51Z","date_published":"2026-07-13T23:43:51Z","id":"https://feed.craftedsignal.io/briefs/2026-07-circular-json-schema-dos/","summary":"An unbounded CPU Denial-of-Service vulnerability exists in the `json_repair` library's `SchemaRepairer.resolve_schema()` function, allowing an unauthenticated attacker to provide a specially crafted JSON schema containing a circular `$ref` pointer, leading to indefinite CPU consumption and service unavailability.","title":"Circular JSON Schema $ref Causes Unbounded CPU DoS in json_repair Library","url":"https://feed.craftedsignal.io/briefs/2026-07-circular-json-schema-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Json_repair (\u003c 0.60.1)","version":"https://jsonfeed.org/version/1.1"}