Scim_proto (<= 1.9.2) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/scim_proto--1.9.2/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 06 May 2026 23:38:49 +0000Kanidm SCIM Filter Stack Exhaustion Vulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-kanidm-scim-stack-exhaustion/Wed, 06 May 2026 23:38:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kanidm-scim-stack-exhaustion/An unauthenticated GET request with deeply nested parentheses in the SCIM filter parameter can cause stack exhaustion and process termination in Kanidm, leading to denial of service.Kanidm versions 1.7.0 through 1.9.2 are vulnerable to a stack exhaustion issue due to unbounded recursion in the SCIM filter parser. An attacker can send an unauthenticated GET request to any /scim/v1/... endpoint, including /scim/v1/Application, /scim/v1/Entry/{id}, etc., with a filter query parameter containing thousands of nested parentheses. This input drives the recursive-descent PEG parser beyond the worker thread’s stack limit. The vulnerability exists within the axum’s Query<ScimEntryGetQuery> extractor, before any authentication or authorization checks. The resulting stack overflow triggers std::process::abort(), causing the entire kanidmd process to terminate, affecting all services relying on the IDM. This can be exploited to cause a denial-of-service condition.

Attack Chain

  1. The attacker crafts a malicious GET request targeting a SCIM endpoint, such as /scim/v1/Application?filter=(...(a+pr)...).
  2. The crafted request contains a filter query parameter with thousands of nested parentheses, exceeding the stack limit.
  3. The request is received by the Kanidm server.
  4. Axum’s Query<ScimEntryGetQuery> extractor attempts to parse the filter parameter using the SCIM filter parser (scimfilter::parse).
  5. The SCIM filter parser recursively processes the nested parentheses without a depth bound, consuming stack space.
  6. The recursive parsing exceeds the worker thread’s stack guard page, leading to a stack overflow.
  7. Rust’s stack overflow handler triggers std::process::abort(), terminating the kanidmd process.
  8. The entire Kanidm service becomes unavailable, disrupting authentication, authorization, and other IDM functions.

Impact

Successful exploitation leads to a process-wide denial of service. The kanidmd process terminates, affecting all in-flight HTTP requests, OAuth2/OIDC sessions, LDAP binds, and the web UI. The vulnerability is unauthenticated and easily repeatable, allowing an attacker to hold the service down indefinitely. A single 12KB GET request is sufficient to crash the service.

Recommendation

  • Apply the patch or upgrade to a version of kanidm_proto and scim_proto greater than 1.9.2 to resolve the unbounded recursion in the SCIM filter parser.
  • Implement rate limiting on SCIM endpoints to mitigate the impact of repeated exploitation attempts.
  • Deploy the following Sigma rule to detect potentially malicious SCIM filter requests based on URL length.
  • Consider limiting the maximum size of request headers accepted by the web server to prevent large filter parameters.
]]>highadvisorydenial-of-servicescimstack-overflow