Integer overflow when reading corrupted .avro file in Avro Rust SDK

Vulnerability

Description

CVE-2022-36125 is a denial-of-service vulnerability in the Apache Avro Rust SDK (formerly known as avro-rs) affecting versions prior to 0.14.0. The issue lies in the data deserialization logic: when the SDK reads a specially corrupted data payload, it triggers a panic (runtime crash) instead of gracefully handling the error. This is a classic unhandled panic in Rust, which can cause the entire application process to terminate unexpectedly [1].

Attack

Vector and Exploitation

The vulnerability is exploitable over the network if the application reads Avro-encoded data from untrusted sources, such as user-uploaded files, incoming network messages, or data from third-party services. No prior authentication is required if the application exposes an input endpoint that accepts arbitrary Avro data. The attacker only needs to craft a malformed Avro payload that triggers the panic condition. The attack does not require code execution; it merely needs to supply the corrupted input to a vulnerable version of the library [1][2].

Impact

Successful exploitation leads to an application crash (denial of service). This can be used to disrupt the availability of services that rely on the Apache Avro Rust SDK to deserialize Avro data. Since a single malicious input can terminate the process, it may be leveraged in repeated attacks to keep the service offline. No data corruption, privilege escalation, or information disclosure has been reported for this CVE [1].

Mitigation

The vulnerability is fixed in Apache Avro Rust SDK version 0.14.0. Users should update the apache-avro crate to 0.14.0 or later. There is no known workaround besides updating the library. The CVE does not currently appear on the CISA Known Exploited Vulnerabilities (KEV) list [1].