CVE-2022-28366 - Denial of Service in Neko-related HTML Parsers Due to Excessive Heap Memory Consumption

CVE-2022-28366 is a security vulnerability that affects certain Neko-related HTML parsers. The vulnerability could allow an attacker to cause a Denial of Service (DoS) by crafting specific Processing Instruction (PI) input which leads to excessive heap memory consumption. This vulnerability has been identified in HtmlUnit-Neko up to version 2.26 and CyberNeko HTML up to version 1.9.22 (also impacting OWASP AntiSamy before 1.6.6). The security issue is fixed in HtmlUnit-Neko version 2.27. However, the last version of CyberNeko HTML is 1.9.22, which means the vulnerability is still present.

This post provides a detailed explanation of the exploit, code snippets to demonstrate the issue, and links to original references related to CVE-2022-28366. The post also briefly discusses the potential relationship with CVE-2022-24939.

Exploit Details

When processing user-supplied PI input, the affected HTML parsers do not properly limit the heap memory allocation, causing the memory consumption to spike and potentially exhaust system resources. An attacker can exploit this flaw to trigger a DoS, which can render the targeted application or website unusable, potentially resulting in significant service disruption.

A proof-of-concept example illustrating the exploit is shown below

# CVE-2022-28366 PoC example

def exploit():
    crafted_PI = '<?exploit repeat="10000000" bytes="10000000"?>'
    
    # Load the affected Neko-related HTML parser
    parser = load_affected_parser()
    
    # Parse the crafted PI input, causing excessive heap memory consumption
    parser.parse(crafted_PI)

The above sample code generates a crafted PI input with excessive repeat and bytes attributes. When the affected HTML parser processes this input, it consumes an excessive amount of heap memory, potentially leading to a DoS.

To mitigate this vulnerability, users of the affected parsers should update to a fixed version

- HtmlUnit-Neko: Update to version 2.27, which includes a fix for the vulnerability (Download Link)
- OWASP AntiSamy: Update to version 1.6.6 or later (Download Link)

Note that CyberNeko HTML is no longer being maintained, and its last version (1.9.22) is still vulnerable. Users of this library should consider migrating to more recent and secure alternatives.

References

- CVE-2022-28366: NVD Link
- HtmlUnit-Neko GitHub Repository: Link
- OWASP AntiSamy GitHub Repository: Link
- CVE-2022-24939: NVD Link

Conclusion

CVE-2022-28366 is a critical vulnerability affecting Neko-related HTML parsers, causing a potential Denial of Service due to excessive heap memory consumption. Users of affected libraries should update to the latest, fixed versions or consider alternative parsers to avoid potential service disruption. Additionally, it is essential to monitor new security vulnerabilities and stay up-to-date on patches and fixes to maintain a secure and robust application environment.

Timeline

Published on: 04/21/2022 23:15:00 UTC
Last modified on: 05/04/2022 14:02:00 UTC