CVE-2023-2798 — Unrestricted recursion in htmlunit

Description

Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack. This issue affects HtmlUnit before 2.70.0.

How to fix CVE-2023-2798

To remediate CVE-2023-2798, upgrade the affected package to a fixed version below.

—upgrade to 2.70.0 or later

Is CVE-2023-2798 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.70.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-2798
PATCHgithub.com/HtmlUnit/htmlunit
WEBbugs.chromium.org/p/oss-fuzz/issues/detail?id=54613
WEBgithub.com/HtmlUnit/htmlunit/commit/940dc7fd
WEB