CVE-2023-33460 - Memory Leak Vulnerability in yajl 2.1.’s yajl_tree_parse Function

In mid-2023, a significant vulnerability was found in yajl, a widely-used C library for parsing JSON. The flaw, assigned CVE-2023-33460, exposes systems using yajl v2.1. to memory leaks when the yajl_tree_parse() function processes malformed JSON. This post explains the issue in simple terms, shows code snippets, links to key sources, and demonstrates the potential for denial-of-service via server crashes.

What Is yajl?

yajl (Yet Another JSON Library) is a C library to parse, generate, and handle JSON data. Many applications depend on it for fast and efficient JSON processing, especially in server-heavy workflows.

How the Leak Happens

The vulnerability lives in the yajl_tree_parse() function. When called on certain malformed or crafted JSON strings, the library allocates memory but then fails to free all of it if an error happens while parsing. If this is done repeatedly (for example, by sending API requests with bad JSON), all the leaked bytes add up—eventually leading the server process to exhaust system memory and crash.

Impact: Remote denial-of-service (DoS) via out-of-memory condition and server crash

- CVE ID: CVE-2023-33460

Here’s a simplified vulnerable code pattern using yajl_tree_parse

#include <stdio.h>
#include <stdlib.h>
#include <yajl/yajl_tree.h>

int main() {
    const char *malformed_json = "{this is not valid json]";
    char error_buffer[1024];

    for (int i = ; i < 100000; i++) {
        yajl_val root = yajl_tree_parse(malformed_json, error_buffer, sizeof(error_buffer));
        // root will be NULL, but memory may still be leaked inside yajl
        // Memory is not always correctly freed if parse fails

        // Proper code would call yajl_tree_free(root) if root != NULL, but
        // with this specific bug, not all allocations are cleaned up on error.
    }
    return ;
}

The server’s process heap slowly grows beyond physical memory limits.

4. Linux OOM-killer steps in or the process simply crashes. Legitimate requests are denied or interrupted, causing a Denial of Service.

You can confirm the presence of the vulnerability on your server like this

for i in {1..10000}; do
   curl -d '{not a valid json]' http://yourserver/api/endpoint
done

References & Links

- National Vulnerability Database entry - CVE-2023-33460
- yajl GitHub repository
- Original Disclosure: huntr.dev report
- Patch PR (if available) (check for updates)

Quick Fixes and Best Practices

- Upgrade: Patch to the latest version of yajl (check GitHub for updates).
- Input Validation: Filter on the application side before attempting to parse—reject obviously malformed content early.
- Resource Limits: In the short term, use ulimit (on Linux) to cap per-process memory, and isolate vulnerable components.

Conclusion

CVE-2023-33460 in yajl 2.1. is a classic example where one malformed request won’t hurt, but lots of them together can cripple a service. The takeaway: always keep your dependencies up-to-date, look for vendor advisories, and consider up-front checks on user input before trusting your libraries to handle every scenario perfectly.


Stay safe! If you run services that process JSON using C libraries, double-check you’re not running vulnerable versions of yajl.

Timeline

Published on: 06/06/2023 12:15:00 UTC
Last modified on: 08/05/2023 19:15:00 UTC