GHSA-pqhp-25j4-6hq9: smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables

November 22, 2024

An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.

The library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.

References

github.com/advisories/GHSA-pqhp-25j4-6hq9
github.com/squirrelchat/smol-toml
github.com/squirrelchat/smol-toml/commit/405108ba090f0fc78f99aa2f0d6721e499b0ff27
github.com/squirrelchat/smol-toml/security/advisories/GHSA-pqhp-25j4-6hq9

Detect and mitigate GHSA-pqhp-25j4-6hq9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →