Grails Blog CVE-2023-46131: Data Binding Denial of Service Vulnerability

A vulnerability in grails-core data binding can leave your application open to a denial-of-service attack.OverviewThe Grails® framework engineering team has confirmed a security vulnerability in the grails-databinding module, discovered by Wenbo Shen, Rui Chang, crane from Zhejiang University, and two other researchers from Antgroup FG Security Lab. This vulnerability is assigned the identifier CVE-2023-46131.An attacker can send a specially crafted request to a Grails framework application that will trigger internal server errors when the application attempts data binding. After the attack, these internal server errors will continue to be generated, even after the attacker has moved on and the application has received valid requests. The attack request may even crash the Java Virtual Machine (JVM). The server must be restarted to restore proper working operation.Impacted ApplicationsMost Grails framework applications are susceptible, from Grails version 2.x and later.Protecting Your ApplicationsThe Grails Team recommends that all Grails framework applications upgrade to a patched version of the framework. Patches are available for Grails in these versions:6.1.05.3.54.1.33.3.17The best way to protect your application is to upgrade to a patched release.No workaround is possible for this vulnerability except to avoid data binding altogether.SupportThe Grails Foundation and the Grails development team take application security very seriously. We continue to research and monitor this vulnerability and will post updates with new information as it is discovered.If you have questions about this vulnerability or need assistance with upgrades or workarounds, please join the discussion on GitHub or contact us at security@grails.org.