CVE-2021-27568
Description
Uncaught NumberFormatException in json-smart parser methods can cause DoS or information exposure when malformed JSON numbers are passed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uncaught NumberFormatException in json-smart parser methods can cause DoS or information exposure when malformed JSON numbers are passed.
Vulnerability
Overview
The json-smart library for JSON parsing in Java contains a flaw in its number parsing routines. In versions v1 up to 2015-10-23 and v2 up to 2.4, the extractFloat() and readNumber() methods call Double.parseDouble() or Float.parseFloat() without catching the NumberFormatException that occurs when the input is not a valid floating-point number [1][3]. This uncaught exception propagates to the caller, potentially crashing the application or leaking sensitive information through stack traces.
Exploitation
Details
An attacker can trigger the vulnerability by providing a specially crafted JSON payload that includes malformed numeric strings, such as "-. ", "2e+", or "[45e-" [4]. The vulnerable code paths are reached when the parser encounters a token that it assumes to be a number but the Java runtime cannot parse it. No authentication or special network position is required if the attacker can supply JSON input to an application using the vulnerable library. The issue affects both the json-smart-v1 and json-smart-v2 codebases [1].
Impact
Successful exploitation can lead to a denial-of-service (DoS) condition by causing the application to crash due to the unhandled exception. In some contexts, the exception may also include portions of the input or internal state, which could expose sensitive information [1][4]. The vulnerability is classified with a CVSS base score that reflects the availability impact, with additional potential confidentiality impact in certain configurations.
Mitigation
Status
The vulnerability has been patched in json-smart-v1 by commit 768db58 and in json-smart-v2 starting from version 2.4.1. The fix wraps the numeric parsing calls in try-catch blocks that throw a ParseException instead of letting the NumberFormatException escape [3]. Users of json-smart-v1 should update to version 1.3.2 or later, and users of json-smart-v2 should upgrade to version 2.4.1 or newer [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.minidev:json-smartMaven | < 1.3.2 | 1.3.2 |
net.minidev:json-smartMaven | >= 2.4.0, < 2.4.1 | 2.4.1 |
net.minidev:json-smart-miniMaven | < 1.3.2 | 1.3.2 |
net.minidev:json-smartMaven | >= 2.0.0, < 2.3.1 | 2.3.1 |
Affected products
4- netplex/json-smartdescription
- osv-coords3 versionspkg:apk/chainguard/hadoop-fips-3.3.6pkg:maven/net.minidev/json-smartpkg:maven/net.minidev/json-smart-mini
< 3.3.6-r21+ 2 more
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: < 1.3.2
- (no CPE)range: < 1.3.2
Patches
1768db58ee0e3fix CVE-2021-27568 in 2 packages
5 files changed · +17 −13
json-smart-mini/pom.xml+1 −1 modified@@ -9,7 +9,7 @@ <parent> <groupId>net.minidev</groupId> <artifactId>parent</artifactId> - <version>1.0.9-1</version> + <version>1.3.2</version> <relativePath>../parent/pom.xml</relativePath> </parent>
json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java+12 −4 modified@@ -250,9 +250,13 @@ private Object readNumber(boolean[] stop) throws ParseException, IOException { return sb.toString().trim(); } String num = sb.toString().trim(); - if (num.length() > 18) // follow JSjonIJ parssing methode - return new BigDecimal(num); - return Double.parseDouble(num); + try { + if (num.length() > 18) // follow JSjonIJ parssing methode + return new BigDecimal(num); + return Double.parseDouble(num); + } catch (NumberFormatException e) { + throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); + } } sb.append('E'); read(); @@ -266,7 +270,11 @@ private Object readNumber(boolean[] stop) throws ParseException, IOException { skipNQString(stop); return sb.toString().trim(); } - return Double.parseDouble(sb.toString().trim()); + try { + return Double.parseDouble(sb.toString().trim()); + } catch (NumberFormatException e) { + throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); + } } else { skipNQString(stop); return sb.toString().trim();
json-smart/pom.xml+1 −1 modified@@ -10,7 +10,7 @@ <parent> <groupId>net.minidev</groupId> <artifactId>parent</artifactId> - <version>1.3.1</version> + <version>1.3.2</version> <relativePath>../parent/pom.xml</relativePath> </parent>
json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java+1 −5 modified@@ -134,17 +134,13 @@ public void checkLeadinZero() throws ParseException { protected Number extractFloat() throws ParseException { if (!acceptLeadinZero) checkLeadinZero(); - try { if (!useHiPrecisionFloat) return Float.parseFloat(xs); - if (xs.length() > 18) // follow JSonIJ parsing method return new BigDecimal(xs); - return Double.parseDouble(xs); - - } catch(NumberFormatException e){ + } catch(NumberFormatException e) { throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); } }
parent/pom.xml+2 −2 modified@@ -3,7 +3,7 @@ <modelVersion>4.0.0</modelVersion> <groupId>net.minidev</groupId> <artifactId>parent</artifactId> - <version>1.3.1</version> + <version>1.3.2</version> <name>Minidev public super pom</name> <description>minidev common properties.</description> <packaging>pom</packaging> @@ -25,7 +25,7 @@ <id>uriel</id> <name>Uriel Chemouni</name> <email>uchemouni@gmail.com</email> - <timezone>GMT+1</timezone> + <timezone>GMT+3</timezone> <roles> </roles> </developer>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/advisories/GHSA-v528-7hrm-frqpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27568ghsaADVISORY
- github.com/netplex/json-smart-v1/commit/768db58ee0e3e344fcdb574b7629765308a1d0afghsaWEB
- github.com/netplex/json-smart-v1/issues/7ghsax_refsource_MISCWEB
- github.com/netplex/json-smart-v2/issues/60ghsax_refsource_MISCWEB
- github.com/netplex/json-smart-v2/issues/62ghsaWEB
- github.com/netplex/json-smart-v2/pull/72ghsaWEB
- lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6@%3Ccommits.druid.apache.org%3EghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.