CVE-2022-40152 Overview
CVE-2022-40152 is a Denial of Service (DoS) vulnerability affecting the Woodstox XML parser library. Applications using Woodstox to parse XML data with DTD (Document Type Definition) support enabled are vulnerable to stack overflow attacks. When processing maliciously crafted XML input, the parser can be forced into deep recursion, ultimately causing a stack overflow crash. This vulnerability can be exploited remotely by attackers who can supply XML content to affected applications.
Critical Impact
Attackers can crash applications using Woodstox for XML parsing by supplying specially crafted XML content, leading to denial of service conditions affecting application availability.
Affected Products
- FasterXML Woodstox (XML parsing library)
- XStream XStream (serialization library using Woodstox)
Discovery Timeline
- 2022-09-16 - CVE-2022-40152 published to NVD
- 2025-05-23 - Last updated in NVD database
Technical Details for CVE-2022-40152
Vulnerability Analysis
This vulnerability stems from improper handling of deeply nested or recursive XML structures when DTD processing is enabled in Woodstox. The parser does not adequately limit recursion depth when processing certain XML constructs, allowing attackers to craft XML documents that trigger excessive stack usage.
The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). When the parser encounters specially crafted XML with recursive entity definitions or deeply nested elements, it processes these structures recursively without proper bounds checking. This unbounded recursion consumes stack memory until the stack is exhausted, resulting in a crash.
The attack can be executed remotely without authentication against any application that accepts XML input and uses Woodstox with DTD support enabled. The impact is limited to availability—there is no compromise of confidentiality or integrity, but the denial of service can significantly disrupt application functionality.
Root Cause
The root cause is insufficient recursion depth limiting in Woodstox's DTD processing logic. When parsing XML documents containing deeply nested structures or recursive entity references, the parser follows the recursion without adequate safeguards, leading to stack exhaustion. This is a common vulnerability pattern in XML parsers that implement DTD support, as the XML specification allows for complex entity structures that can be abused for resource exhaustion attacks.
Attack Vector
The attack vector is network-based, requiring the attacker to submit malicious XML content to an application using Woodstox for parsing. Attack scenarios include:
- Web Service Exploitation: Submitting crafted XML payloads to REST or SOAP endpoints that process XML requests
- File Upload Attacks: Uploading malicious XML files to applications that process uploaded XML content
- Message Queue Poisoning: Injecting malicious XML messages into message queues consumed by vulnerable applications
The attack requires no authentication or special privileges, and no user interaction is needed. The attacker simply needs to identify an entry point where XML content is processed by Woodstox with DTD support enabled.
The vulnerability mechanism involves crafting XML documents with recursive DTD entity definitions that cause the parser to enter deep recursion. When the parser attempts to resolve these entities, the call stack grows beyond the available stack space, triggering a stack overflow exception and crashing the application. Technical details can be found in the OSS-Fuzz issue report and the related XStream GitHub issue #304.
Detection Methods for CVE-2022-40152
Indicators of Compromise
- Unusual application crashes with stack overflow exceptions in XML parsing components
- Large or deeply nested XML documents appearing in application logs
- Repeated XML parsing failures followed by service restarts
- Memory and CPU spikes during XML processing operations
Detection Strategies
- Monitor application logs for java.lang.StackOverflowError exceptions in Woodstox or XStream stack traces
- Implement application-level monitoring for XML parsing failures and exceptions
- Use dependency scanning tools to identify applications using vulnerable Woodstox versions
- Deploy web application firewalls (WAF) with rules to detect oversized or deeply nested XML content
Monitoring Recommendations
- Configure alerting for repeated application crashes in XML processing services
- Monitor for unusual patterns in XML document sizes and complexity
- Track resource utilization (CPU, memory, thread counts) on services processing XML input
- Implement centralized logging to correlate XML parsing exceptions across multiple services
How to Mitigate CVE-2022-40152
Immediate Actions Required
- Upgrade Woodstox to a patched version that addresses the stack overflow vulnerability
- Disable DTD processing if not required by the application (XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES and XMLInputFactory.SUPPORT_DTD set to false)
- Implement input validation to reject excessively large or deeply nested XML documents
- Consider using alternative XML parsers with built-in protection against billion laughs and similar attacks
Patch Information
Security patches addressing this vulnerability are available through the FasterXML Woodstox project. Organizations should review the Chromium Issue #47434 and GitHub Issue #304 for specific version information and update recommendations. Update all instances of Woodstox and dependent libraries like XStream to their latest secure versions.
Workarounds
- Disable DTD support entirely in the XML parser configuration if DTD processing is not required
- Implement request size limits for XML content at the network or application layer
- Deploy XML-aware firewalls or gateways that can reject malformed or suspiciously structured XML
- Configure JVM with increased stack size as a temporary measure (does not fix the vulnerability, only raises the threshold)
# Configuration example - Disable DTD support in Java applications
# Add these system properties when starting the JVM:
java -Djavax.xml.stream.isSupportingExternalEntities=false \
-Djavax.xml.stream.supportDTD=false \
-jar your-application.jar
# Or configure programmatically in code:
# XMLInputFactory factory = XMLInputFactory.newInstance();
# factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
# factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
