Impact
What kind of vulnerability is it? Who is impacted?
Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jsoup 1.14.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.
References
Are there any links users can visit to find out more?
https://jsoup.org/news/release-1.14.2
https://jsoup.org/news/release-1.14.1
These impacting inputs were found through the use of the Jazzer JVM Fuzzer, running in the OSS-Fuzz project.
OSS-Fuzz Integration of jsoup was done by Roman Wagner from Code Intelligence.
For more information
If you have any questions or comments about this advisory:
- Open a discussion issue in jsoup
Impact
What kind of vulnerability is it? Who is impacted?
Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jsoup 1.14.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.
References
Are there any links users can visit to find out more?
https://jsoup.org/news/release-1.14.2
https://jsoup.org/news/release-1.14.1
These impacting inputs were found through the use of the Jazzer JVM Fuzzer, running in the OSS-Fuzz project.
OSS-Fuzz Integration of jsoup was done by Roman Wagner from Code Intelligence.
For more information
If you have any questions or comments about this advisory: