CVE-2023-33460

Vulnerability

A memory leak exists in the yajl library version 2.1.0 within the yajl_tree_parse function. When processing a specially crafted JSON payload such as {"@\\\n\\\\", the parser fails to free allocated memory during error recovery, resulting in a leak of 73 bytes per invocation as detected by AddressSanitizer (ASan) [1]. The leak originates from allocations in context_push, value_alloc, and handle_string that are not released on parse failure.

Exploitation

An attacker needs to supply a malicious JSON input to any application that uses yajl_tree_parse (for example, the parse_config.c example) [1]. No authentication or special network position is required if the parser is exposed to untrusted data. Sending the crafted string repeatedly will cause the server's memory to grow unboundedly, eventually leading to an out-of-memory crash.

Impact

Successful exploitation results in a denial-of-service (DoS) condition because the memory leak exhausts available memory, causing the target process to crash. The vulnerability does not allow arbitrary code execution or information disclosure; the impact is limited to availability loss.

Mitigation

As of the available references, no official patch has been released for yajl 2.1.0 [1]. Users should monitor the upstream repository (https://github.com/lloyd/yajl) for a fix. If a patched version is not yet available, developers can mitigate the risk by validating and limiting the size of JSON input before passing it to yajl_tree_parse, or by restarting the affected process regularly to clear accumulated memory.