CVE-2023-46131: Data Binding Denial of Service Vulnerability
December 20, 2023
A vulnerability in grails-core data binding can leave your application open to a denial-of-service attack.
The Grails® framework engineering team has confirmed a security vulnerability in the grails-databinding module, discovered by Wenbo Shen, Rui Chang, crane from Zhejiang University, and two other researchers from Antgroup FG Security Lab. This vulnerability is assigned the identifier CVE-2023-46131.
An attacker can send a specially crafted request to a Grails framework application that will trigger internal server errors when the application attempts data binding. After the attack, these internal server errors will continue to be generated, even after the attacker has moved on and the application has received valid requests. The attack request may even crash the Java Virtual Machine (JVM). The server must be restarted to restore proper working operation.
Most Grails framework applications are susceptible, from Grails version 2.x and later.
Protecting Your Applications
The Grails Team recommends that all Grails framework applications upgrade to a patched version of the framework. Patches are available for Grails in these versions:
(2024 Jan 29 Update: An earlier revision of this blog post recommended release versions that patched the vulnerability but unfortunately introduced an unrelated defect. This defect has been fixed, and the recommended versions above reflect the patched, fixed releases.)
The best way to protect your application is to upgrade to a patched release.
No workaround is possible for this vulnerability except to avoid data binding altogether.
The Grails Foundation and the Grails development team take application security very seriously. We continue to research and monitor this vulnerability and will post updates with new information as it is discovered.