Skip to main content

v26.2.9

v26.2.9

Harden identity-schema loading against denial-of-service

Adds a structural pre-parse gate to identity-schema loading. Before a customer-supplied schema reaches the upstream JSON Schema compiler, kratos now rejects schemas that exceed any of the following limits:

  • 1 MiB body size on the fetched schema document.
  • 32 levels of nested objects or arrays.
  • 1024 keys per object (properties, patternProperties, $defs, etc.).
  • 128 elements per array (allOf, anyOf, oneOf, tuple items, etc.).
  • 8192 total nodes across the schema tree.

The same pass also rejects $ref values that resolve to the document root (#, #/, or empty) — these produce a self-referential pointer in the compiled schema and would otherwise crash the kratos process via fatal stack overflow at validate time. Invalid regular expressions in pattern and patternProperties keys are now caught up front, instead of panicking deep in the upstream compiler.

When kratos fetches a schema URL outside of an HTTP request context (for example from a background task), the loader now attaches an SSRF-guarded HTTP client by default. Request paths that already attach a configured client via the request middleware are unaffected.

The Ory Network HTTP cache for identity schemas now caps response bodies at the same 1 MiB limit and refuses to cache anything larger.

Existing identity schemas at realistic sizes (well under all limits) are unaffected.

Patch security vulnerabilities in dependencies

Bump several dependencies to patched versions to address security advisories reported by Dependabot.

Notable updates:

  • github.com/jackc/pgx/v5 to v5.9.2 across all Go modules (SQL injection via placeholder confusion in dollar-quoted string literals).
  • github.com/moby/spdystream to v0.5.1 (denial of service on container runtime interface).
  • go.opentelemetry.io/otel to v1.41.0 (remote DoS amplification via multi-value baggage header).
  • postcss to >=8.5.10 (XSS via unescaped </style> in CSS stringify output).
  • uuid to >=14.0.0 (missing buffer bounds check in v3/v5/v6 generators).
  • @xmldom/xmldom to >=0.8.13 (XML node injection and uncontrolled recursion).
  • axios, follow-redirects, lodash, picomatch, brace-expansion, serialize-javascript, yaml, file-type, i18next-fs-backend, @nestjs/core to their respective patched versions.

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free