Full Report
The author of this post had read Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal. Upon reading this post, they found that many of the tricks weren't working. They mainly relied on tricking a parser to think something was a different datatype than it really was. Because this, they decided to read the source code of libmagic and found how it decides if something is a JSON file or not. If a JSON file has 500 levels of nesting, it treats it as plaintext. It turns out, that most languages for detecting file types have this limitation—the call range from 64 to thousands. In the case of libmagic, and many of its wrappers, anything over these amounts will simply return the type as plain-text. Little quirks can go a long ways!
Analysis Summary
# Vulnerability: libmagic Parser Inconsistency via Deep JSON Nesting
## CVE Details
- **CVE ID:** Not specifically assigned (Design-level parser limitation/logic flaw).
- **CVSS Score:** N/A (Severity varies based on implementation; typically Medium/High when leading to Type Confusion).
- **CWE:** CWE-436: Interpretation Conflict; CWE-843: Variant Analysis (Type Confusion).
## Affected Systems
- **Products:** `libmagic` and its associated `file` utility, along with language-specific wrappers.
- **Versions:**
- Upstream `libmagic` 5.46 (Level limit ≈ 500).
- Older OS-level versions (e.g., Ubuntu/macOS `file` 5.41) where limits may be as low as 10 levels.
- **Configurations:** Systems using `libmagic` or `finfo` for server-side file type validation during uploads.
- **Wrappers:** `python-magic`, PHP `finfo`, Ruby/Perl bindings, Go `magicmime`.
## Vulnerability Description
`libmagic` (the engine behind the `file` command) contains a recursion guard in its JSON detection logic (`src/is_json.c`). When a JSON file exceeds a specific nesting depth—500 levels in recent versions or significantly fewer in older versions—the detector aborts its JSON analysis and returns `0` (failure).
This causes `libmagic` to default to treating the file as `ASCII text` or identifying it based on other headers present in the file. By combining 500+ levels of JSON nesting with early-file magic bytes (e.g., PDF, Image, or Script headers), an attacker can cause a "Type Confusion" state where the validator sees one file type while the application parser sees another.
## Exploitation
- **Status:** PoC available; logic based on confirmed upstream source code.
- **Complexity:** Low.
- **Attack Vector:** Network (via File Upload).
- **Technique:** "Polyglot" file creation. An attacker provides a file that is valid JSON to a web application but is identified as a different MIME type (like `application/pdf`) by `libmagic` due to reaching the nesting limit.
## Impact
- **Confidentiality:** High (If used to bypass filters to execute Client-Side Path Traversal or XSS).
- **Integrity:** Medium (Potential to bypass file integrity checks).
- **Availability:** Low (Primary impact is security control bypass).
## Remediation
### Patches
- There is no "patch" for the recursion limit as it is a design choice to prevent Denial of Service (DoS) via stack exhaustion. However, ensure `libmagic` is updated to at least **v5.46** to standardize the 500-level limit.
### Workarounds
- **Multi-layered Validation:** Do not rely solely on `libmagic` for security-critical decisions. Use a secondary parser (e.g., `JSON.parse` or `json.loads`) to verify the content matches the detected type.
- **Strict Nesting Limits:** Configure application-level JSON parsers with nesting limits lower than the `libmagic` threshold (e.g., limit application JSON depth to 50-100 levels).
## Detection
- **Indicators of Compromise:**
- Presence of 500+ repeated open-bracket/brace sequences in uploaded files.
- Files containing conflicting magic bytes (e.g., a file starting with `%PDF` but containing deep JSON structures).
- **Tools:**
- Static analysis of upload buffers to count recursion depth.
- Comparison scripts checking if `libmagic` output differs from the final application parser's interpretation.
## References
- Doyensec Research: hxxps[://]blog[.]doyensec[.]com/2025/01/09/cspt-file-upload[.]html
- Libmagic Source: hxxps[://]github[.]com/file/file/blob/master/src/is_json[.]c
- Author Profile: hxxps[://]linktr[.]ee/hamedsj5