DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2X79-GWQ3-VXXM: GHSA-2x79-gwq3-vxxm: Infinite Loop Denial of Service in facil.io and iodine JSON Parser

#security #cve #cybersecurity #ghsa

GHSA-2x79-gwq3-vxxm: Infinite Loop Denial of Service in facil.io and iodine JSON Parser

Vulnerability ID: GHSA-2X79-GWQ3-VXXM
CVSS Score: 8.7
Published: 2026-04-14

An uncontrolled resource consumption vulnerability in the facil.io C framework and the iodine Ruby gem allows remote attackers to cause a Denial of Service (DoS). The vulnerability is triggered by parsing crafted JSON payloads containing malformed numeral values, resulting in an infinite loop that exhausts CPU resources.

TL;DR

A flaw in the JSON parser of facil.io and iodine causes an infinite loop when parsing malformed numerals starting with 'i' or 'I'. This allows unauthenticated remote attackers to exhaust CPU resources and cause a severe denial of service.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-2x79-gwq3-vxxm
  • CWE: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
  • Attack Vector: Network
  • CVSS v4.0 Score: 8.7 (High)
  • Exploit Status: Proof of Concept Available
  • Impact: Denial of Service (CPU Exhaustion)

Affected Systems

  • facil.io C framework versions 0.7.5 and 0.7.6
  • iodine Ruby gem versions <= 0.7.58
  • facil.io: 0.7.5, 0.7.6
  • iodine: <= 0.7.58 (Fixed in: > 0.7.58)

Exploit Details

  • Advisory PoC: Minimal curl payload and Ruby testing server configuration.

Mitigation Strategies

  • Upgrade the iodine Ruby gem to version > 0.7.58.
  • Update facil.io C framework dependencies to the latest master branch commit containing the fio_json_parser.h fix.
  • Deploy Web Application Firewall (WAF) rules to drop incoming JSON payloads containing unquoted 'i' characters following brackets or colons.
  • Implement process monitoring and strict timeouts to restart worker threads that consume 100% CPU for extended periods.

Remediation Steps:

  1. Identify all services utilizing iodine or facil.io for handling external HTTP or WebSocket requests.
  2. Update the Gemfile to specify gem 'iodine', '> 0.7.58' and execute bundle update iodine.
  3. For C applications, pull the latest facil.io source tree and recompile the binaries.
  4. Restart all affected application services to apply the updated libraries.
  5. Test the deployment using the known PoC string [i to verify the patch successfully mitigates the infinite loop.

References

Read the full report for GHSA-2X79-GWQ3-VXXM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)