CVE-2019-15550

The simd-json crate [1] for Rust, an extremely fast JSON parser using SIMD instructions, was found to have an out-of-bounds read and incorrect page boundary crossing vulnerability in its string parsing logic. The flaw was introduced in version 0.1.14 via an optimization that was later reverted [4]. This results in invalid memory access when processing malformed JSON input [2].

Exploitation of this vulnerability requires no authentication or user interaction. An attacker can deliver a specially crafted JSON payload over the network to an application using the vulnerable simd-json library, causing the parser to read beyond the allocated buffer or cross page boundaries. This leads to a segmentation fault and denial of service.

The impact is limited to denial of service. According to the CVSS v3.1 score of 7.5 (High), the availability impact is high, but confidentiality and integrity are not affected [2]. The vulnerability does not allow for code execution or data leakage.

The issue has been fixed in simd-json version 0.1.15 by reverting the problematic commit [4]. Users are advised to update their dependencies to version 0.1.15 or later. Versions 0.1.13 and earlier are not affected [2].