Moderate severityNVD Advisory· Published Sep 16, 2022· Updated Apr 21, 2025

Stack Buffer Overflow in Jettison

CVE-2022-40149

Description

Jettison XML/JSON library is vulnerable to a stack overflow Denial of Service via deeply nested input when recursion depth limits are not properly enforced.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jettison XML/JSON library is vulnerable to a stack overflow Denial of Service via deeply nested input when recursion depth limits are not properly enforced.

Vulnerability

Analysis

CVE-2022-40149 describes a Denial of Service (DoS) vulnerability in the Jettison Java library, which converts between XML and JSON. The root cause is a stack overflow that occurs when the parser processes untrusted, deeply nested input [1]. The library's default recursion depth limit of 500 was not sufficiently preventing stack exhaustion on certain stack configurations, leading to a crash of the Java Virtual Machine.

Attack

Vector

An attacker can exploit this vulnerability by supplying a specially crafted, deeply nested XML or JSON payload to an application that uses Jettison to parse user-supplied data. No authentication is required; the attack is launched over the network by sending the malicious input to a service that triggers parsing. The issue was identified through OSS-Fuzz fuzzing with Jazzer, which produced stack overflow crash reports [3].

Impact

Successful exploitation results in a denial of service. The application crashes due to a stack overflow, making the service unavailable to legitimate users. This is a high-severity issue (CVSS 7.5) because it can be executed remotely without authentication and requires no special privileges.

Mitigation

The vulnerability is fixed in Jettison version 1.5.1, released on September 16, 2022 [2]. Users should upgrade to this version or later. The fix enforces the configurable recursion depth limit more strictly, preventing stack overflow. As a workaround, applications can set a lower global recursion depth limit via JSONObject.setGlobalRecursionDepthLimit(int) and monitor for deeply nested inputs. The project's repository documents the configurable security limits [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.codehaus.jettison:jettisonMaven	< 1.5.1	1.5.1

Affected products

osv-coords6 versions
pkg:apk/chainguard/druid pkg:apk/chainguard/druid-compat pkg:apk/wolfi/druid pkg:apk/wolfi/druid-compat pkg:maven/org.codehaus.jettison/jettison pkg:rpm/opensuse/jettison&distro=openSUSE%20Tumbleweed
< 35.0.1-r5+ 5 more
- (no CPE)range: < 35.0.1-r5
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 35.0.1-r5
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 1.5.1
- (no CPE)range: < 1.5.1-1.1
Jettison/Jettisonv5
Range: unspecified

Patches

1268b7558bad

Prevent infinite loop when a /* comment is not terminated

https://github.com/jettison-json/jettisonColm O hEigeartaighSep 22, 2022via ghsa-ref

commit PR #49

2 files changed · +20 −3

src/main/java/org/codehaus/jettison/json/JSONTokener.java+0 −1 modified

@@ -192,7 +192,6 @@ public char nextClean() throws JSONException {
                             if (next() == '/') {
                                 break;
                             }
-                            back();
                         }
                     }
                     break;

src/test/java/org/codehaus/jettison/json/JSONArrayTest.java+20 −2 modified

@@ -43,6 +43,24 @@ public void testEscapingInArrayIsTrunedOff() throws JSONException {
       String expectedValue = "[\"a string with / character\",{\"key\":\"http://example.com/foo\"}]";
       assertEquals(expectedValue, array.toString());
     }
-    
-    
+
+    public void testInfiniteLoop() {
+        String str = "[*/*A25] **";
+        try {
+            new JSONArray(str);
+            fail("Failure expected on malformed JSON");
+        } catch (JSONException ex) {
+            // expected
+        }
+    }
+
+    public void testInfiniteLoop2() {
+        String str = "[/";
+        try {
+            new JSONArray(str);
+            fail("Failure expected on malformed JSON");
+        } catch (JSONException ex) {
+            // expected
+        }
+    }
 }

Vulnerability mechanics

Root cause

"Removal of a `back()` call inside the comment-skipping loop of `JSONTokener.nextClean()` causes an infinite loop when an unterminated `/*` comment is encountered."

Attack vector

An attacker supplies a crafted JSON or XML payload containing an unclosed `/*` comment sequence (e.g., `[*/*A25] **` or `[/`). When the parser calls `nextClean()` to skip whitespace and comments, the loop that consumes the comment body never terminates because the removed `back()` call previously prevented the parser from re-consuming the same character indefinitely. The result is a stack overflow or thread hang, leading to a denial of service. No authentication or special network position is required; the attack succeeds wherever untrusted input is parsed.

Affected code

The vulnerable code is in `src/main/java/org/codehaus/jettison/json/JSONTokener.java`, specifically in the `nextClean()` method around line 192. The comment-skipping loop that handles `/* ... */` blocks contained a `back()` call that caused the parser to re-push the same character onto the internal buffer, leading to an infinite loop when the comment was never terminated.

What the fix does

The patch removes the single line `back();` from the comment-skipping branch inside `JSONTokener.nextClean()` [patch_id=1641289]. Previously, after reading a character inside a `/*` comment, the code would push that character back onto the stream via `back()`, causing the loop to re-read the same character forever when the closing `*/` was never found. Deleting the `back()` call ensures each character is consumed exactly once, so the loop either finds the closing `*/` or reaches the end of input and throws a `JSONException`. The added unit tests (`testInfiniteLoop` and `testInfiniteLoop2`) confirm that malformed input now correctly throws an exception instead of looping infinitely.

Preconditions

inputThe attacker must supply a JSON or XML payload containing an unclosed /* comment sequence (e.g., [*/*A25] ** or [/).
networkThe attacker must be able to send the malicious payload to a service that parses it using Jettison.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-56h3-78gp-v83rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-40149ghsaADVISORY
www.debian.org/security/2023/dsa-5312ghsavendor-advisoryWEB
bugs.chromium.org/p/oss-fuzz/issues/detailghsaWEB
github.com/jettison-json/jettison/issues/45ghsaWEB
github.com/jettison-json/jettison/pull/49/filesghsaWEB
github.com/jettison-json/jettison/releases/tag/jettison-1.5.1ghsaWEB
lists.debian.org/debian-lts-announce/2022/11/msg00011.htmlghsamailing-listWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000