Underscore.js Stack Overflow Vulnerability in _.flatten and _.isEqual Functions Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Underscore.js versions prior to 1.13.8. The issue arises in the _.flatten and _.isEqual functions, which use recursion without a depth limit. This flaw can be exploited under specific conditions to trigger a stack overflow, causing the application to crash. The vulnerability requires untrusted input to create a recursive data structure, such as through JSON parsing, which is then passed to the vulnerable functions. In the case of _.flatten, the exploitation is possible only if the data structure consists of arrays at all levels and no depth limit is set. For _.isEqual, the vulnerability can be exploited by comparing two equivalent but distinct data structures from the same source, such as data stored in a database.

Impact

Exploitation of this vulnerability leads to a stack overflow, causing a range error and crashing the application. This is particularly problematic for server applications that require continuous operation.

Reproduction

To reproduce this vulnerability, create a nested array or object structure approximately 4500 levels deep, using untrusted input to simulate a real attack scenario. This can be done by crafting a JSON string that forms the desired structure, parsing it, and then passing the resulting object or array to the _.flatten or _.isEqual function. The absence of a depth limit allows the recursion to go unchecked, ultimately causing a stack overflow.

Remediation

Users can upgrade to Underscore.js version 1.13.8 or later, where this vulnerability has been patched. For those unable to upgrade, a workaround is to enforce a depth limit on data structures created from untrusted input, or to limit the depth of flattening when using _.flatten.