CVE-2023-2798 – HtmlUnit versions before 2.70.0 contain a stack... (How to Fix)

Q: What is the severity of CVE-2023-2798?

CVE-2023-2798 has a CVSS score of 7.5 (HIGH). HtmlUnit versions before 2.70.0 contain a stack overflow vulnerability when processing untrusted web content, allowing denial of service attacks. This affects applications that use HtmlUnit to browse or render user-supplied web pages. The vulnerability can cause the HtmlUnit process to crash, disrupting service availability.

📋 TL;DR

HtmlUnit versions before 2.70.0 contain a stack overflow vulnerability when processing untrusted web content, allowing denial of service attacks. This affects applications that use HtmlUnit to browse or render user-supplied web pages. The vulnerability can cause the HtmlUnit process to crash, disrupting service availability.

💻 Affected Systems

Products:

HtmlUnit

Versions: All versions before 2.70.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that process untrusted web content using HtmlUnit. Applications using HtmlUnit for trusted/internal content only are not vulnerable.

📦 What is this software?

Htmlunit by Htmlunit

View all CVEs affecting Htmlunit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through process crashes, potentially affecting application availability and requiring manual intervention to restart services.

🟠

Likely Case

Intermittent service disruptions when processing malicious content, leading to degraded performance and potential data loss in user sessions.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits, though some performance degradation may still occur.

🌐 Internet-Facing: HIGH - Applications accepting user-controlled URLs or web content are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal applications processing untrusted content remain vulnerable, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to supply web content to HtmlUnit. The fuzzing test case is publicly available in the OSS-Fuzz issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.70.0

Vendor Advisory: https://github.com/HtmlUnit/htmlunit/commit/940dc7fd

Restart Required: Yes

Instructions:

1. Update HtmlUnit dependency to version 2.70.0 or later. 2. Update pom.xml or build.gradle to specify the new version. 3. Rebuild and redeploy the application. 4. Restart any running services using HtmlUnit.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation of user-supplied URLs and web content before passing to HtmlUnit.

Resource Limiting

all

Configure JVM stack size limits and implement timeout mechanisms for HtmlUnit operations.

-Xss256k (reduce JVM thread stack size)
Set WebClient.setTimeout() to reasonable limits

🧯 If You Can't Patch

Isolate HtmlUnit usage to separate processes with automatic restart capabilities
Implement strict content filtering and URL allowlisting for HtmlUnit inputs

🔍 How to Verify

Check if Vulnerable:

Check the HtmlUnit version in your project dependencies. If using Maven: mvn dependency:tree | grep htmlunit. If using Gradle: gradle dependencies | grep htmlunit.

Check Version:

java -cp "htmlunit-*.jar" com.gargoylesoftware.htmlunit.WebClient --version 2>/dev/null || echo "Check pom.xml/gradle.build for version"

Verify Fix Applied:

Verify the HtmlUnit version is 2.70.0 or higher in your dependency management file and built artifacts.

📡 Detection & Monitoring

Log Indicators:

StackOverflowError exceptions in logs
HtmlUnit process crashes
Abnormal termination of web scraping/services

Network Indicators:

Unusual patterns of web content submission
Repeated requests with similar malicious payloads

SIEM Query:

source="application.logs" AND ("StackOverflowError" OR "HtmlUnit" AND "crash")

📊 Metadata

CVE ID: CVE-2023-2798

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: May 25, 2023

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54613 Mailing List
https://github.com/HtmlUnit/htmlunit/commit/940dc7fd Patch
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54613 Mailing List
https://github.com/HtmlUnit/htmlunit/commit/940dc7fd Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2798, you might also want to check these: