CVE-2023-30188 in Document Serverinfo

Summary

by MITRE • 08/14/2023

Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/21/2025

The memory exhaustion vulnerability identified as CVE-2023-30188 affects ONLYOFFICE Document Server versions ranging from 4.0.3 through 7.3.2, representing a critical denial of service weakness that can be exploited remotely by attackers. This vulnerability stems from insufficient input validation mechanisms within the JavaScript processing component of the document server, allowing malicious actors to craft specially designed JavaScript files that trigger excessive memory allocation during document rendering processes. The flaw specifically manifests when the system attempts to parse and execute malformed JavaScript code within document files, causing the memory consumption to spiral beyond normal operational limits. This vulnerability aligns with CWE-400 which categorizes memory allocation issues as a fundamental weakness in software design, particularly when systems fail to properly validate and sanitize input data before processing.

The technical exploitation of this vulnerability occurs when an attacker uploads or accesses a crafted JavaScript file that contains memory-intensive operations or recursive code structures designed to consume system resources rapidly. During document processing, the ONLYOFFICE Document Server allocates memory to execute the JavaScript code without adequate bounds checking or resource limiting mechanisms. The vulnerability is particularly dangerous because it can be triggered through various document formats that support JavaScript embedding, including pdf documents, html files, or office documents that may contain embedded script elements. Attackers can leverage this weakness to perform sustained denial of service attacks by repeatedly submitting malicious files, causing system memory exhaustion and subsequent application crashes or unresponsiveness.

The operational impact of CVE-2023-30188 extends beyond simple service disruption, potentially compromising the availability of document processing services for legitimate users and creating opportunities for more sophisticated attacks. Organizations relying on ONLYOFFICE Document Server for document collaboration, editing, and processing may experience complete service outages during active exploitation attempts, affecting productivity and business continuity. The vulnerability can be particularly damaging in enterprise environments where document servers handle high volumes of user requests, as the memory exhaustion can cascade into system-wide performance degradation affecting other services running on the same infrastructure. This weakness also creates potential for indirect exploitation pathways where attackers might combine this vulnerability with other attack vectors to establish persistent access or escalate privileges within the affected systems.

Organizations should implement immediate mitigations including applying the latest security patches released by ONLYOFFICE to address the memory exhaustion vulnerability, as well as implementing input validation controls that restrict the size and complexity of JavaScript code that can be processed within the document server environment. Network-level protections such as rate limiting and content filtering mechanisms should be deployed to prevent malicious file uploads and limit the impact of potential exploitation attempts. Additionally, implementing monitoring and alerting systems to detect unusual memory consumption patterns can provide early warning of exploitation attempts. The vulnerability demonstrates the importance of adhering to secure coding practices and input validation as outlined in the software security principles referenced in the ATT&CK framework, particularly in the context of defensive techniques against resource exhaustion attacks that target application processing capabilities.

Reservation

04/07/2023

Disclosure

08/14/2023

Moderation

accepted

CPE

ready

EPSS

0.01614

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!