Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-65519 is a critical vulnerability in mayswind ezbookkeeping versions 1.2.0 and earlier that affects the JSON and XML file import processing modules.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the application does not validate the nesting depth of JSON or XML files during parsing. This lack of validation allows authenticated attackers to upload deeply nested malicious files that cause uncontrolled recursion.'}, {'type': 'paragraph', 'content': 'As a result, the parsing process consumes excessive CPU and memory resources, leading to stack exhaustion, service degradation, or complete service unavailability (denial of service).'}, {'type': 'list_item', 'content': 'Affected components include JSON import, GnuCash XML import, OFX/QFX XML import, and CAMT.053 XML import modules.'}, {'type': 'list_item', 'content': "The root cause is the use of Go's standard encoding/json and encoding/xml libraries without limits on recursion depth."}, {'type': 'list_item', 'content': 'Attack requires an authenticated user to upload malicious files to the API endpoint.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition by exhausting CPU and memory resources on the server running ezbookkeeping.

An attacker with valid authentication can upload deeply nested malicious JSON or XML files that trigger uncontrolled recursion during parsing.

The impact includes complete service disruption, making the application unavailable to legitimate users.

Additionally, the attack leads to high CPU and memory consumption, potentially crashing the service or container.

There is no impact on data confidentiality or integrity, meaning no data leakage or corruption occurs.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusually high CPU and memory usage on the system hosting ezBookkeeping, especially during import operations of JSON or XML files.'}, {'type': 'paragraph', 'content': 'Since the attack involves uploading deeply nested JSON or XML files to the API endpoint /api/v1/transactions/parse_import.json, network traffic analysis can help detect repeated or large import requests.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Use system monitoring tools like top or htop to check CPU and memory usage: `top` or `htop`'}, {'type': 'list_item', 'content': 'Check for high CPU usage by the ezBookkeeping process: `ps aux --sort=-%cpu | grep ezbookkeeping`'}, {'type': 'list_item', 'content': "Monitor network traffic for repeated POST requests to the import API endpoint using tools like tcpdump or Wireshark: `tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and filter for `/api/v1/transactions/parse_import.json` in HTTP payloads."}, {'type': 'list_item', 'content': "Review web server logs for frequent or large import requests: `grep '/api/v1/transactions/parse_import.json' /var/log/nginx/access.log`"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Enforce request timeouts in the web server configuration, such as setting ReadTimeout and WriteTimeout to 10 seconds.
• Configure a Web Application Firewall (WAF) or reverse proxy (e.g., Nginx) to limit client body size and set connection timeouts.
• Implement rate limiting on import requests, for example, allowing a maximum of 10 import requests per hour per user.

If an attack occurs, recovery requires manually restarting the affected container or service to restore normal operation.

Useful 0 Not Useful 0