CVE-2023-30188: 
ONLYOFFICE DocumentServer vulnerability analysis and mitigation

A Memory Exhaustion vulnerability was discovered in ONLYOFFICE Document Server versions 4.0.3 through 7.3.2, tracked as CVE-2023-30188. The vulnerability allows remote attackers to cause a denial of service through a crafted JavaScript file (MITRE CVE, NVD).

The vulnerability exists in the Docbuilder component which uses a v8 engine to execute JavaScript code inside the process. The issue occurs through the /docbuilder API route, where an attacker with a valid JWT token can execute JavaScript code. The vulnerability specifically involves the Save_Alloc function, which can be exploited by executing it in an infinite loop, leading to uncontrolled memory allocation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub POC).

When successfully exploited, this vulnerability can lead to a denial of service condition affecting the DocumentServer application and potentially the host system. The attack can cause memory exhaustion through continuous allocation of memory resources (GitHub POC).

The vulnerability has been patched through a fix implemented in the ONLYOFFICE core repository. The patch removes the vulnerable functionality containing the SaveAlloc and SaveReAlloc methods (Core Patch).