Swift 5.1.5 for Linux: JSONSerialization: Limit recursion when parsing

Foundation's JSONSerialization in Swift for Linux before 5.1.5 is vulnerable to a denial-of-service attack when parsing JSON. An attacker that can provide JSON input parsed using JSONSerialization (or JSONDecoder) can force JSONSerialization into arbitrarily deep recursion which can then lead to a stack overflow, crashing the process.

All versions of Swift for Linux up to and including 5.1.4 are affected by this issue.

Please make sure you quickly upgrade to Swift 5.1.5 either by downloading one of the available packages at https://swift.org/download/#releases or by using the latest docker images.

We would like to thank @fabianfett for the initial report. We are working on issuing a CVE for this vulnerability and will update this post with a link once issued.

7 Likes

CVE can be found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9861

Terms of Service

Privacy Policy

Cookie Policy