Stack Buffer Overflow in Jettison

CVE-2022-40150 describes a denial of service (DoS) vulnerability affecting the Jettison Java library, which converts between XML and JSON using StAX. The root cause is insufficient protection against resource exhaustion: when Jettison parses untrusted XML or JSON data, an attacker can supply specially crafted content that triggers excessive memory allocation, leading to an out-of-memory crash [1][2]. This was discovered through OSS-Fuzz fuzzing, which reported multiple bugs including stack overflow and out-of-memory failures [2].

The attack surface is any application that uses Jettison to parse user-supplied JSON or XML content. No authentication is required if the attacker can provide input directly to the parser. The vulnerability is exploitable remotely by sending a malicious payload that exploits deeply nested structures or extremely large arrays [1]. Jettison notes that it includes default safety limits, such as a recursion depth limit of 500 and a JSONArray length limit of 1,000,000 elements, but these limits may still be insufficient to prevent memory exhaustion in certain scenarios, or may be adjustable by the application [3].

Successful exploitation causes the JVM to run out of memory, resulting in a crash and denial of service for the affected service [1]. As of the publication date, the issue was reported via OSS-Fuzz, and Jettison maintainers were asked to provide contact details to access detailed crash reports [2]. Users are advised to apply input validation and consider the default safety limits; however, no specific patch is mentioned in the available references, so relying on the built-in limits and restricting untrusted input is recommended.