jsoup up to 1.14.1 HTML Parser/XML Parser infinite loop

Summaryinfo

A vulnerability was found in jsoup up to 1.14.1 and classified as problematic. This issue affects some unknown processing of the component HTML Parser/XML Parser. Executing a manipulation can lead to infinite loop. This vulnerability appears as CVE-2021-37714. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic was found in jsoup up to 1.14.1. This vulnerability affects an unknown code of the component HTML Parser/XML Parser. The manipulation with an unknown input leads to a infinite loop vulnerability. The CWE definition for the vulnerability is CWE-835. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. As an impact it is known to affect availability.

The weakness was presented 08/18/2021. The advisory is shared for download at github.com. This vulnerability was named CVE-2021-37714. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1499.

The vulnerability scanner Nessus provides a plugin with the ID 233713 (Amazon Linux 2 : jsoup (ALAS-2025-2813)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 1.14.2 eliminates this vulnerability. The upgrade is hosted for download at jsoup.org.

The vulnerability is also documented in the vulnerability database at Tenable (233713). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• jsoup

Version

• 1.14.0
• 1.14.1

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion