CVE-2021-3822 – CVE-2021-3822 is a regular expression denial of... (How to Fix)

📋 TL;DR

CVE-2021-3822 is a regular expression denial of service (ReDoS) vulnerability in jsoneditor, a web-based JSON editor. Attackers can cause denial of service by sending specially crafted JSON data that triggers inefficient regular expression processing. This affects any application using vulnerable versions of jsoneditor.

💻 Affected Systems

Products:

jsoneditor

Versions: Versions before 9.1.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application embedding jsoneditor is vulnerable when processing untrusted JSON input.

📦 What is this software?

Jsoneditor by Jsoneditoronline

View all CVEs affecting Jsoneditor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing application unavailability, potentially affecting all users of the application.

🟠

Likely Case

Degraded performance or temporary unavailability of the jsoneditor component, disrupting JSON editing functionality.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: MEDIUM - Exploitable remotely but requires interaction with the jsoneditor component.

🏢 Internal Only: LOW - Requires access to internal systems and interaction with the vulnerable component.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious JSON data to the vulnerable component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.3 and later

Vendor Advisory: https://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e

Restart Required: No

Instructions:

1. Update jsoneditor to version 9.1.3 or later using npm: npm update jsoneditor@^9.1.3
2. Verify the update completed successfully
3. Test JSON editing functionality

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject malformed JSON before processing by jsoneditor.

Rate limiting

all

Implement rate limiting on JSON processing endpoints to limit impact of DoS attempts.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block malicious JSON patterns
Isolate jsoneditor component behind reverse proxy with request size limits

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/jsoneditor/package.json for version number. If version is below 9.1.3, the system is vulnerable.

Check Version:

npm list jsoneditor | grep jsoneditor

Verify Fix Applied:

Verify jsoneditor version is 9.1.3 or higher using: npm list jsoneditor

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for JSON requests
High CPU usage spikes during JSON processing
Application crashes or timeouts related to JSON endpoints

Network Indicators:

Large or malformed JSON payloads to jsoneditor endpoints
Repeated JSON requests causing performance degradation

SIEM Query:

source="application_logs" AND (message="*jsoneditor*" AND (message="*timeout*" OR message="*high cpu*" OR message="*crash*"))

📊 Metadata

CVE ID: CVE-2021-3822

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: September 27, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e Patch,Third Party Advisory
https://huntr.dev/bounties/1e3ed803-b7ed-42f1-a4ea-c4c75da9de73 Exploit,Patch,Third Party Advisory
https://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e Patch,Third Party Advisory
https://huntr.dev/bounties/1e3ed803-b7ed-42f1-a4ea-c4c75da9de73 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3822, you might also want to check these: