Moderate severityNVD Advisory· Published Jul 29, 2013· Updated Apr 29, 2026

CVE-2013-3300

Description

The JsonParser class in json/JsonParser.scala in Lift before 2.5 interprets a certain end-index value as a length value, which allows remote authenticated users to obtain sensitive information from other users' sessions via invalid input data containing a < (less than) character.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
net.liftweb:lift-webkitMaven	>= 0	—
net.liftweb:lift-webkit_2.7.7Maven	>= 0	—
net.liftweb:lift-webkit_2.8.0Maven	>= 0	—
net.liftweb:lift-webkit_2.8.1Maven	>= 0	—
net.liftweb:lift-webkit_2.8.2Maven	>= 0	—
net.liftweb:lift-webkit_2.9.0Maven	>= 0	—
net.liftweb:lift-webkit_2.9.0-1Maven	>= 0	—
net.liftweb:lift-webkit_2.9.1Maven	< 2.5	2.5

Affected products

Liftweb/Lift11 versions
cpe:2.3:a:liftweb:lift:2.1:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:liftweb:lift:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:m4:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc3:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc4:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:2.5:rc5:*:*:*:*:*:*
- cpe:2.3:a:liftweb:lift:*:rc6:*:*:*:*:*:*range: <=2.5

Patches

099d9c86cf6d

Addresses a data bleeding issue with lift-json

https://github.com/lift/frameworkDavid PollakApr 5, 2013via ghsa

commit

2 files changed · +23 −1

core/json/src/main/scala/net/liftweb/json/JsonParser.scala+5 −1 modified

@@ -384,7 +384,11 @@ object JsonParser {
       }
     }
 
-    def near = new String(segment, (cur-20) max 0, (cur + 1) min Segments.segmentSize)
+    def near = {
+      val start = (cur - 20) max 0
+      val len = ((cur + 1) min Segments.segmentSize) - start
+      new String(segment, start, len)
+    }
 
     def release = segments.foreach(Segments.release)

core/json/src/test/scala/net/liftweb/json/JsonParserSpec.scala+18 −0 modified

@@ -27,6 +27,15 @@ import org.scalacheck.Prop._
  * System under specification for JSON Parser.
  */
 object JsonParserSpec extends Specification with JValueGen with ScalaCheck {
+
+  private def parseBadThing(): String =     try {
+    parse("""{"user":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"<}""")
+    "x" * 1000
+  } catch {
+    case e: Throwable => e.getMessage
+  }
+
+
   "JSON Parser Specification".title
 
   "Any valid json can be parsed" in {
@@ -54,6 +63,15 @@ object JsonParserSpec extends Specification with JValueGen with ScalaCheck {
     parse("[\"abc\\\"\\\\\\/\\b\\f\\n\\r\\t\\u00a0\"]") must_== JArray(JString("abc\"\\/\b\f\n\r\t\u00a0")::Nil)
   }
 
+
+  "Parser does not bleed prior results" in {
+    parse("""{"a": "now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things. now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things. now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things. now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things. now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things. now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things. now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things.now is the time for all good men to come to the aid of their dog and eat dog food with other dogs and bark and woof and do dog things"}""")
+
+    val msg = parseBadThing()
+
+    msg.length must be_<=(50)
+  }
+
   "Unclosed string literal fails parsing" in {
     parseOpt("{\"foo\":\"sd") mustEqual None
     parseOpt("{\"foo\":\"sd}") mustEqual None

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

blog.addepar.com/2013/07/an-atypical-web-vulnerability.htmlnvdExploitWEB
github.com/lift/framework/commit/099d9c86cf6d81f4953957add478ab699946e601nvdExploitPatchWEB
github.com/advisories/GHSA-jf9v-fxfq-wm76ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-3300ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000