CVE-2021-42717: 
NixOS vulnerability analysis and mitigation

ModSecurity versions 3.x through 3.0.5 and versions 2.8.0 through 2.9.4 contain a vulnerability related to JSON parsing that could enable a Denial of Service (DoS) attack. The vulnerability, identified as CVE-2021-42717, was discovered and responsibly disclosed by Andrea "theMiddle" Menin, with the issue being publicly disclosed in November 2021 (Trustwave Blog).

The vulnerability stems from the mishandling of excessively nested JSON objects in ModSecurity's JSON parser. When processing HTTP request bodies in JSON format, the parser can be triggered by requests with Content-Type 'application/json' or optionally other Content-Type values. The issue occurs when JSON objects are nested tens-of-thousands of levels deep, causing significant resource consumption during parsing. Even a moderately large HTTP request (around 300KB) can occupy an NGINX worker process for minutes and consume almost all available CPU resources (NVD, Trustwave Blog).

The primary impact of this vulnerability is the potential for Denial of Service attacks. When exploited, the vulnerability can render the web server unable to service legitimate requests. The attack can be particularly effective when multiple malicious requests are processed simultaneously, leading to significant server resource consumption and degraded performance (Trustwave Blog).

The vulnerability has been addressed in ModSecurity versions v2.9.5 and v3.0.6, which introduce a configurable limit on the maximum depth accepted during JSON parsing. The default depth limit is set to 10,000 but can be customized using the SecRequestBodyJsonDepthLimit configuration option. For users unable to update immediately, alternative mitigation strategies include disabling ModSecurity rules that activate the JSON parser if JSON request bodies are not required, or implementing request size limits (Trustwave Blog).