Cpanel::JSON::XS Type Confusion Vulnerability in Perl Allowing Denial-of-Service

A type confusion vulnerability has been identified in Cpanel::JSON::XS versions prior to 4.41 for Perl. This vulnerability arises when duplicate object keys are processed with the 'dupkeys_as_arrayref' option enabled. The 'decode_hv()' function mishandles these duplicates, leading to a crash. Specifically, the function collapses duplicate keys into an array reference but fails to properly check if the existing value is a reference before dereferencing it. As a result, a non-reference scalar can be incorrectly treated as a reference, causing a segmentation fault. This vulnerability can be exploited by decoding untrusted JSON data with 'dupkeys_as_arrayref' enabled, particularly when the JSON contains duplicate keys.

Impact

Exploitation of this vulnerability leads to a segmentation fault, causing a crash of the Perl process handling the JSON.

Reproduction

To reproduce this vulnerability, use Cpanel::JSON::XS version prior to 4.41 and enable the 'dupkeys_as_arrayref' option. Then, decode a JSON string that contains duplicate keys. The 'decode_hv()' function will mishandle the duplicates, causing a type confusion that results in a segmentation fault.

Remediation

Users can upgrade to Cpanel::JSON::XS version 4.41 or later, where this vulnerability has been fixed.