Stack Overflow in JXPath

Overview

CVE-2022-40159 was originally reported by the oss-fuzz project as a security issue in Apache Commons JXPath. However, the report failed to consider the intended security context of the library, and the CVE was allocated without proper coordination with the JXPath maintainers. After review, the maintainers determined the report to be invalid [1].

Context

Apache Commons JXPath is a Java library that implements XPath 1.0 and is explicitly designed to inspect and modify Java object graphs, as well as mixed Java/XML structures [2]. The library's purpose is to provide a flexible way to navigate object graphs, which inherently involves accessing arbitrary properties. The oss-fuzz report did not account for this design, leading to a misinterpretation of the behavior as a vulnerability.

Impact and

Status Because the reported issue is not a valid vulnerability, there is no security impact. The CVE record remains disputed, and no patch or workaround is necessary. Users of Apache Commons JXPath can continue using the library as intended without security concerns [1].