Denial of service in HtmlUnit
Description
Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack.This issue affects htmlunit before 2.70.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HtmlUnit before 2.70.0 is vulnerable to denial of service via stack overflow when processing untrusted web pages.
Vulnerability
CVE-2023-2798 is a denial-of-service vulnerability in HtmlUnit, a headless browser for Java. The bug resides in the DOM traversal logic, specifically in the getNextElementUpwards method, which uses recursion to navigate the DOM tree. When processing a deeply nested or specially crafted HTML document, this recursion can exhaust the call stack, causing the application to crash [1].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious web page containing deeply nested elements or other structures that trigger the recursive traversal. No authentication is required; the victim only needs to use HtmlUnit to browse the attacker-controlled page. The attack surface is any application that uses HtmlUnit to parse untrusted HTML content [1].
Impact
Successful exploitation results in a stack overflow, leading to a crash of the HtmlUnit process. This constitutes a denial-of-service condition, potentially disrupting services that rely on HtmlUnit for web scraping, testing, or automation [1].
Mitigation
The vulnerability is fixed in HtmlUnit version 2.70.0, released on May 25, 2023 [4]. The fix replaces the recursive call in getNextElementUpwards with an iterative loop, preventing stack exhaustion [3]. Users should upgrade to 2.70.0 or later. No workarounds are documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.htmlunit:htmlunitMaven | < 2.70.0 | 2.70.0 |
Affected products
3Patches
1940dc7fdremove recursion to make the fuzzer happy
1 file changed · +14 −12
src/main/java/com/gargoylesoftware/htmlunit/html/DomNode.java+14 −12 modified@@ -1453,18 +1453,19 @@ private DomNode getNextElementUpwards(final DomNode startingNode) { if (startingNode == DomNode.this) { return null; } - final DomNode parent = startingNode.getParentNode(); - if (parent == null || parent == DomNode.this) { - return null; - } - DomNode next = parent.getNextSibling(); - while (next != null && !isAccepted(next)) { - next = next.getNextSibling(); - } - if (next == null) { - return getNextElementUpwards(parent); + + DomNode parent = startingNode.getParentNode(); + while (parent != null && parent != DomNode.this) { + DomNode next = parent.getNextSibling(); + while (next != null && !isAccepted(next)) { + next = next.getNextSibling(); + } + if (next != null) { + return next; + } + parent = parent.getParentNode(); } - return next; + return null; } private DomNode getFirstChildElement(final DomNode parent) { @@ -1763,7 +1764,8 @@ public void removeCharacterDataChangeListener(final CharacterDataChangeListener protected void fireCharacterDataChanged(final CharacterDataChangeEvent event) { DomNode toInform = this; while (toInform != null) { - final List<CharacterDataChangeListener> listeners = safeGetCharacterDataListeners(); + + final List<CharacterDataChangeListener> listeners = toInform.safeGetCharacterDataListeners(); if (listeners != null) { for (final CharacterDataChangeListener listener : listeners) { listener.characterDataChanged(event);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.