dbus-fast is vulnerable to Denial of Service (DoS)
57
Medium Risk
dbus-fast parses D-Bus introspection XML returned by peers using the standard-library xml.etree.ElementTree parser, which expands internal XML entities. A hostile or unprivileged peer can answer an org.freedesktop.DBus.Introspectable.Introspect request with a tiny document that defines nested or repeatedly referenced entities, forcing the parser to expand it into gigabytes and exhaust process memory or CPU. Clients and daemons that automatically introspect peers appearing on the bus are exposed to this billion-laughs / quadratic-blowup denial of service. The fix routes introspection parsing through a custom pyexpat parser that rejects internal DTD subsets and disables parameter-entity parsing.
You are affected if you are using a version that falls within the vulnerable range and your application introspects untrusted D-Bus peers.
dbus-fast is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 4.2.0.
Upgrade the dbus-fast library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant