Skip to content
Roman Wagner1 min read

19 Bugs in Jsoup Found With Jazzer

Our Java Fuzzer Jazzer has found more than 19 Bugs (CVE-2021-37714) in the open-source library of jsoup. Eight of them might have a critical impact on the availability of web applications using jsoup. Users should update to jsoup 1.14.2 quickly, to avoid downtime!

Click to read the full bug report.

What Is jsoup? 

Jsoup is a popular Java library designed to parse, extract, and manipulate data stored in HTML documents. In addition, it can also be used to parse and build XML documents.  

Which Vulnerabilities Were Found? 

Applications that use jsoup to parse untrusted HTML or XML may be vulnerable to Denial of Service attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception.  

== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (truncated to likely cause)
at org.jsoup.parser.HtmlTreeBuilder.process(HtmlTreeBuilder.Java:149)
at org.jsoup.parser.HtmlTreeBuilderState$14.process(HtmlTreeBuilderState.java:1222)
Caused by: java.lang.StackOverflowError
at java.base/java.util.Arrays.binarySearch0(Arrays.java:2233)
at java.base/java.util.Arrays.binarySearch(Arrays.java:2173)
at org.jsoup.internal.StringUtil.inSorted(StringUtil.java:243)
at org.jsoup.parser.HtmlTreeBuilder.inSpecificScope(HtmlTreeBuilder.java:501)
at org.jsoup.parser.HtmlTreeBuilder.inSpecificScope(HtmlTreeBuilder.java:490)
at org.jsoup.parser.HtmlTreeBuilder.inTableScope(HtmlTreeBuilder.java:535)
at org.jsoup.parser.HtmlTreeBuilderState$14.process(HtmlTreeBuilderState.java:1207)
at org.jsoup.parser.HtmlTreeBuilder.process(HtmlTreeBuilder.java:149)
at org.jsoup.parser.TreeBuilder.processEndTag(TreeBuilder.java:108)
at org.jsoup.parser.HtmlTreeBuilderState$14.process(HtmlTreeBuilderState.java:1221)
at org.jsoup.parser.HtmlTreeBuilder.process(HtmlTreeBuilder.java:149)

Coverage-Guided Fuzzing for Java

My team and I used our coverage-guided, in-process fuzzer for the JVM (Jazzer), to fuzz the application. Jazzer is a highly useful Java testing tool that can find bugs in fuzz targets that parse complex and nested structures such as HTML, XML, or JSON.

Or watch full video: Fuzzing Java code (JSoup) using Jazzer fuzzer.

Continuous Fuzzing Through OSS-Fuzz Integration 

Developers from Code Intelligence, integrated jsoup into the OSS-Fuzz platform which made continuous fuzzing of jsoup possible. More than 165 Bugs were already found due to the integration of Jazzer into OSS-Fuzz. 

Related Articles

Markus Zoppelt11 min read

Build Secure Java Applications with Fuzz Testing

Build secure java systems by integrating fuzz testing into your JUnit setup. Increase the security and functionality of your ...
Start Reading
Josh Grant9 min read

Unit Testing Vs Fuzz Testing - Two Sides of the Same Coin?

Everything you need to know about the strengths and weaknesses of unit testing vs fuzz testing. Learn how to write better code ...
Start Reading
Fabian Meumertzheim9 min read

How to Write Fuzz Targets for Java Applications

Fabian Meumertzheim is one of the leading engineers behind Jazzer. In this article, he explains how to build your first fuzz ...
Start Reading