Medium severityGHSA Advisory· Published Jun 28, 2022· Updated Sep 30, 2025
Uncontrolled Resource Consumption in Spray JSON
CVE-2018-18855
Description
Recursive decent parsers are susceptible too StackOverflowExceptions on too deeply nested structures as currently "open" parsing state is kept on the stack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.spray:spray-json_2.10Maven | < 1.3.5 | 1.3.5 |
io.spray:spray-json_2.11Maven | < 1.3.5 | 1.3.5 |
io.spray:spray-json_2.11.0-RC4Maven | >= 0 | — |
io.spray:spray-json_2.12Maven | < 1.3.5 | 1.3.5 |
io.spray:spray-json_2.12.0-M3Maven | >= 0 | — |
io.spray:spray-json_2.12.0-M5Maven | >= 0 | — |
io.spray:spray-json_2.12.0-RC1Maven | >= 0 | — |
io.spray:spray-json_2.12.0-RC2Maven | >= 0 | — |
io.spray:spray-json_2.13.0-M2Maven | >= 0 | — |
io.spray:spray-json_2.13.0-M4Maven | >= 0 | — |
io.spray:spray-json_2.13.0-M5Maven | < 1.3.5 | 1.3.5 |
io.spray:spray-json_2.9.3Maven | >= 0 | — |
Affected products
13- Range: < 1.3.5
- ghsa-coords12 versionspkg:maven/io.spray/spray-json_2.10pkg:maven/io.spray/spray-json_2.11pkg:maven/io.spray/spray-json_2.11.0-RC4pkg:maven/io.spray/spray-json_2.12pkg:maven/io.spray/spray-json_2.12.0-M3pkg:maven/io.spray/spray-json_2.12.0-M5pkg:maven/io.spray/spray-json_2.12.0-RC1pkg:maven/io.spray/spray-json_2.12.0-RC2pkg:maven/io.spray/spray-json_2.13.0-M2pkg:maven/io.spray/spray-json_2.13.0-M4pkg:maven/io.spray/spray-json_2.13.0-M5pkg:maven/io.spray/spray-json_2.9.3
< 1.3.5+ 11 more
- (no CPE)range: < 1.3.5
- (no CPE)range: < 1.3.5
- (no CPE)range: >= 0
- (no CPE)range: < 1.3.5
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 1.3.5
- (no CPE)range: >= 0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.