<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mangiucugna - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/mangiucugna/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 23:43:51 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/mangiucugna/feed.xml" rel="self" type="application/rss+xml"/><item><title>Circular JSON Schema $ref Causes Unbounded CPU DoS in json_repair Library</title><link>https://feed.craftedsignal.io/briefs/2026-07-circular-json-schema-dos/</link><pubDate>Mon, 13 Jul 2026 23:43:51 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-circular-json-schema-dos/</guid><description>An unbounded CPU Denial-of-Service vulnerability exists in the `json_repair` library's `SchemaRepairer.resolve_schema()` function, allowing an unauthenticated attacker to provide a specially crafted JSON schema containing a circular `$ref` pointer, leading to indefinite CPU consumption and service unavailability.</description><content:encoded><![CDATA[<p>An unauthenticated attacker can exploit a critical flaw in the <code>json_repair</code> library (versions prior to <code>0.60.1</code>) to trigger a Denial of Service (DoS) condition. The vulnerability resides in the <code>SchemaRepairer.resolve_schema()</code> function, which is responsible for processing JSON schema <code>$ref</code> pointers. This function lacks cycle detection, meaning that if an attacker supplies a schema containing a self-referencing <code>$ref</code> (e.g., <code>{&quot;$ref&quot;: &quot;#/definitions/a&quot;, &quot;definitions&quot;: {&quot;a&quot;: {&quot;$ref&quot;: &quot;#/definitions/a&quot;}}}</code>), the library enters an infinite loop. This unbounded CPU consumption by the worker process effectively halts the service, making it unavailable to other users. The vulnerability is reproducible and has been assigned a high severity CVSS score of 7.5. Applications that pass untrusted input to <code>json_repair.loads(..., schema=...)</code>, including the library's public demo Flask API, are susceptible.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends an HTTP POST request to a web application endpoint (e.g., <code>/api/repair-json</code> in the demo Flask API) that accepts user-controlled JSON input.</li>
<li>The request body contains a specially crafted JSON payload that includes a <code>schema</code> field with a circular <code>$ref</code> definition, such as <code>{&quot;$ref&quot;: &quot;#/definitions/a&quot;, &quot;definitions&quot;: {&quot;a&quot;: {&quot;$ref&quot;: &quot;#/definitions/a&quot;}}}</code>.</li>
<li>The vulnerable application extracts the user-provided <code>schema</code> from the HTTP request body and passes it directly to the <code>json_repair.loads()</code> function for processing.</li>
<li>Internally, <code>json_repair.loads()</code> instantiates a <code>SchemaRepairer</code> object and calls its <code>is_valid()</code> method, which subsequently invokes the <code>SchemaRepairer.resolve_schema()</code> function.</li>
<li>Within <code>SchemaRepairer.resolve_schema()</code>, a <code>while</code> loop attempts to resolve the <code>$ref</code> chain without any cycle detection. Due to the circular <code>$ref</code>, the internal <code>_resolve_ref()</code> function continuously returns the same dictionary object.</li>
<li>The <code>while</code> loop never terminates, leading to an unbounded consumption of CPU resources by the application's worker process.</li>
<li>This indefinite CPU spin causes the affected worker process to hang indefinitely, making the application unresponsive and inaccessible.</li>
<li>The consequence is a complete Denial of Service for other legitimate users attempting to access the service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability results in an unauthenticated denial-of-service condition affecting any application that utilizes the <code>json_repair</code> library and exposes <code>json_repair.loads(..., schema=&lt;user-controlled&gt;)</code> to untrusted input. A single malicious HTTP request carrying a circular <code>$ref</code> schema can cause a Flask worker process (or similar) to consume CPU indefinitely. This makes the service unresponsive and unavailable, requiring manual intervention such as killing the hung process or restarting the server. The attack requires no special privileges and deterministically reproduces the service disruption, though it does not affect data confidentiality or integrity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch the <code>json_repair</code> library to version <code>0.60.1</code> or higher immediately to address the identified vulnerability.</li>
<li>Implement strict input validation and sanitize all user-supplied JSON schemas before passing them to <code>json_repair.loads()</code> with the <code>schema</code> parameter, specifically checking for circular <code>$ref</code> definitions to prevent the infinite loop.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>supply-chain</category><category>application-vulnerability</category><category>python</category></item></channel></rss>