CVE-2024-53848
📋 TL;DR
This vulnerability in check-jsonschema allows cache confusion attacks where an attacker can replace legitimate JSON schemas with malicious ones. Users who run check-jsonschema against remote schema URLs are affected, potentially allowing invalid data to pass validation.
💻 Affected Systems
- check-jsonschema
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass critical validation checks, allowing malicious data to be processed by downstream systems, potentially leading to data corruption, privilege escalation, or system compromise.
Likely Case
Data validation failures allowing improperly formatted or unauthorized data to pass through systems that rely on JSON schema validation.
If Mitigated
Minimal impact with proper cache management or schema verification controls in place.
🎯 Exploit Status
Exploitation requires convincing a user to run check-jsonschema against a malicious URL, which could be achieved through phishing or compromised documentation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.30.0
Vendor Advisory: https://github.com/python-jsonschema/check-jsonschema/security/advisories/GHSA-q6mv-284r-mp36
Restart Required: No
Instructions:
1. Check current version: pip show check-jsonschema
2. Upgrade: pip install --upgrade check-jsonschema==0.30.0
3. Verify: pip show check-jsonschema | grep Version
🔧 Temporary Workarounds
Disable caching
allRun check-jsonschema with --no-cache flag to prevent schema caching entirely
check-jsonschema --no-cache --schemafile schema.json data.json
Use local schema files
allDownload schemas locally before validation to avoid remote URL risks
curl -LOs https://example.org/schema.json
check-jsonschema --schemafile ./schema.json data.json
🧯 If You Can't Patch
- Always use --no-cache flag when running check-jsonschema
- Validate schemas from trusted sources only and download them locally before use
🔍 How to Verify
Check if Vulnerable:
Run: pip show check-jsonschema | grep Version
If version is below 0.30.0 and you use remote schema URLs, you are vulnerable.Check Version:
pip show check-jsonschema | grep VersionVerify Fix Applied:
Run: pip show check-jsonschema | grep Version
Confirm version is 0.30.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple schema validations failing unexpectedly
- Schema cache files with unexpected content or sources
Network Indicators:
- check-jsonschema processes making requests to unexpected or suspicious domains
SIEM Query:
process:check-jsonschema AND (network.destination.domain:*.evil OR network.destination.ip:suspicious_ip)