NanaZip Uncontrolled Recursion Vulnerability in Electron ASAR Parser Causes Denial-of-Service

A denial-of-service vulnerability has been identified in NanaZip versions 5.0.1250.0 prior to 6.0.1698.0. The issue arises from uncontrolled recursion in the Electron Archive (ASAR) parser. When a crafted .asar file with deeply nested JSON in the header is opened, the nlohmann JSON library's parser and the ASAR handler's GetAllPaths function recurse without depth limits. This unbounded recursion exhausts the thread stack, leading to a crash of the NanaZip process. The vulnerability is triggered during the file opening process, before any user interaction is required.

Impact

Exploitation of this vulnerability causes a stack overflow, resulting in a crash of the NanaZip process. The stack overflow occurs naturally from the unbounded recursion in both the JSON parsing and the GetAllPaths function, without causing any memory corruption.

Reproduction

To reproduce this vulnerability, open a crafted .asar file with approximately 2000 levels of nesting in the JSON header using NanaZip version 5.0.1250.0 through 6.0.1698.0. The ASAR handler will recursively parse the JSON without depth limits, leading to a stack overflow and crashing the application.

Remediation

Users can upgrade to NanaZip version 6.0.1698.0 or later, where this vulnerability has been fixed.