A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.
A denial of service vulnerability in GitHub Enterprise Server allows unauthenticated attackers to cause service disruption through deeply nested JSON payloads sent to unprotected API endpoints. The vulnerability exploits insufficient input validation on JSON parsing, leading to excessive resource consumption across affected versions prior to 3.21.
تؤثر هذه الثغرة على جميع إصدارات GitHub Enterprise Server السابقة للإصدار 3.21 وتسمح للمهاجمين غير المصرح لهم بإرسال طلبات JSON متداخلة بعمق إلى نقاط نهاية API غير محمية. يؤدي الافتقار إلى حدود حجم وعمق في معالجة JSON إلى استهلاك مفرط للموارد وتعطل الخدمة.
GitHub Enterprise Server contains a DoS vulnerability affecting unauthenticated API endpoints that parse JSON without depth or size restrictions. Attackers can exploit this by sending crafted nested JSON requests to consume excessive CPU and memory resources, disrupting service availability.
Upgrade GitHub Enterprise Server to version 3.20.2, 3.19.6, 3.18.9, 3.17.15, 3.16.18 or later. Implement network-level rate limiting and request size restrictions on API endpoints. Deploy Web Application Firewall (WAF) rules to detect and block deeply nested JSON payloads. Monitor API endpoint resource consumption for anomalies.
قم بترقية GitHub Enterprise Server إلى الإصدار 3.20.2 أو 3.19.6 أو 3.18.9 أو 3.17.15 أو 3.16.18 أو أحدث. طبق تحديد معدل على مستوى الشبكة وقيود حجم الطلب على نقاط نهاية API. نشر قواعد جدار حماية تطبيقات الويب لكشف حمولات JSON المتداخلة. راقب استهلاك موارد نقاط نهاية API للكشف عن الشذوذ.