Skip to content
This repository was archived by the owner on Jul 7, 2026. It is now read-only.
This repository was archived by the owner on Jul 7, 2026. It is now read-only.

Possible Denial of Service in lemur/plugins/lemur_vault_dest/plugin.py #5416

Description

@odopertchouk

VaultDestinationPlugin.upload in lemur/plugins/lemur_vault_dest/plugin.py calls os._exit(1) when a certificate's Subject Alternative Name does not match the destination's configured sanFilter regex.

os._exit() invokes the C library _exit() syscall; According to the official docs ( https://docs.python.org/3/library/os.html#os._exit ), it "Exits the process with status n, without calling cleanup handlers, flushing stdio buffers, etc."

In particular, it does not raise SystemExit, does not unwind the Python stack, and cannot be caught by any try/except (not even except BaseException). There's a surrounding SQLAlchemy event handler in lemur/certificates/models.py which wraps the upload call in try/except Exception, but it provides no protection against this code path for these reasons.

Therefore, an authenticated user with permission to attach destinations to a certificate, can reliably kill a Lemur WSGI worker or Celery worker on demand by uploading a certificate whose SAN list violates the sanFilter of an existing Vault destination. As os._exit bypasses logging flush, Sentry capture, and audit-log write, the bug leaves minimal forensic trail. It would look like an unexplained worker crash.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions