{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/scim/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kanidm_proto (\u003c= 1.9.2)","scim_proto (\u003c= 1.9.2)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","scim","stack-overflow"],"_cs_type":"advisory","_cs_vendors":["kanidm"],"content_html":"\u003cp\u003eKanidm versions 1.7.0 through 1.9.2 are vulnerable to a stack exhaustion issue due to unbounded recursion in the SCIM filter parser. An attacker can send an unauthenticated GET request to any \u003ccode\u003e/scim/v1/...\u003c/code\u003e endpoint, including \u003ccode\u003e/scim/v1/Application\u003c/code\u003e, \u003ccode\u003e/scim/v1/Entry/{id}\u003c/code\u003e, etc., with a \u003ccode\u003efilter\u003c/code\u003e query parameter containing thousands of nested parentheses. This input drives the recursive-descent PEG parser beyond the worker thread\u0026rsquo;s stack limit. The vulnerability exists within the axum\u0026rsquo;s \u003ccode\u003eQuery\u0026lt;ScimEntryGetQuery\u0026gt;\u003c/code\u003e extractor, before any authentication or authorization checks. The resulting stack overflow triggers \u003ccode\u003estd::process::abort()\u003c/code\u003e, causing the entire \u003ccode\u003ekanidmd\u003c/code\u003e process to terminate, affecting all services relying on the IDM. This can be exploited to cause a denial-of-service condition.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting a SCIM endpoint, such as \u003ccode\u003e/scim/v1/Application?filter=(...(a+pr)...)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request contains a \u003ccode\u003efilter\u003c/code\u003e query parameter with thousands of nested parentheses, exceeding the stack limit.\u003c/li\u003e\n\u003cli\u003eThe request is received by the Kanidm server.\u003c/li\u003e\n\u003cli\u003eAxum\u0026rsquo;s \u003ccode\u003eQuery\u0026lt;ScimEntryGetQuery\u0026gt;\u003c/code\u003e extractor attempts to parse the \u003ccode\u003efilter\u003c/code\u003e parameter using the SCIM filter parser (\u003ccode\u003escimfilter::parse\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe SCIM filter parser recursively processes the nested parentheses without a depth bound, consuming stack space.\u003c/li\u003e\n\u003cli\u003eThe recursive parsing exceeds the worker thread\u0026rsquo;s stack guard page, leading to a stack overflow.\u003c/li\u003e\n\u003cli\u003eRust\u0026rsquo;s stack overflow handler triggers \u003ccode\u003estd::process::abort()\u003c/code\u003e, terminating the \u003ccode\u003ekanidmd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe entire Kanidm service becomes unavailable, disrupting authentication, authorization, and other IDM functions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to a process-wide denial of service. The \u003ccode\u003ekanidmd\u003c/code\u003e process terminates, affecting all in-flight HTTP requests, OAuth2/OIDC sessions, LDAP binds, and the web UI. The vulnerability is unauthenticated and easily repeatable, allowing an attacker to hold the service down indefinitely. A single 12KB GET request is sufficient to crash the service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of \u003ccode\u003ekanidm_proto\u003c/code\u003e and \u003ccode\u003escim_proto\u003c/code\u003e greater than 1.9.2 to resolve the unbounded recursion in the SCIM filter parser.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on SCIM endpoints to mitigate the impact of repeated exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potentially malicious SCIM filter requests based on URL length.\u003c/li\u003e\n\u003cli\u003eConsider limiting the maximum size of request headers accepted by the web server to prevent large \u003ccode\u003efilter\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T23:38:49Z","date_published":"2026-05-06T23:38:49Z","id":"/briefs/2024-01-kanidm-scim-stack-exhaustion/","summary":"An unauthenticated GET request with deeply nested parentheses in the SCIM filter parameter can cause stack exhaustion and process termination in Kanidm, leading to denial of service.","title":"Kanidm SCIM Filter Stack Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-kanidm-scim-stack-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Scim","version":"https://jsonfeed.org/version/1.1"}