CVE-2022-45685
Description
A stack overflow vulnerability in Jettison before 1.5.2 allows remote denial of service via deeply nested JSON objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack overflow vulnerability in Jettison before 1.5.2 allows remote denial of service via deeply nested JSON objects.
Vulnerability
Details
CVE-2022-45685 is a stack overflow vulnerability in the Jettison Java library (versions before 1.5.2) used for converting between XML and JSON. The root cause is the lack of a recursion depth limit in the JSON parser when processing nested structures. An attacker can craft a JSON payload with an excessive number of opening braces (e.g., {{{{...), causing the parser to recurse deeply and throw a StackOverflowError [1][2]. The official fix introduced a default recursion depth limit of 500, configurable via JSONObject.setGlobalRecursionDepthLimit() [3].
Exploitation
The attack surface includes any application that parses untrusted JSON using Jettison. No authentication or special network position is required; the attacker simply sends a specially crafted JSON string to the vulnerable endpoint. The proof-of-concept provided in the issue tracker demonstrates a string of hundreds of nested braces that triggers the overflow [1]. The vulnerability is triggered during parsing, before any data validation can occur.
Impact
Successful exploitation results in a denial of service (DoS) condition. The JVM thread processing the malicious JSON crashes due to the stack overflow, potentially causing the application to become unresponsive or terminate. This can be repeated to sustain a DoS attack.
Mitigation
The vulnerability is fixed in Jettison version 1.5.2, which enforces a default recursion depth limit of 500 [3]. Users are advised to upgrade to this version or later. For applications that cannot upgrade immediately, the recursion depth limit can be set globally using the provided API. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.codehaus.jettison:jettisonMaven | < 1.5.2 | 1.5.2 |
Affected products
7- Jettison/Jettisondescription
- osv-coords6 versionspkg:apk/chainguard/druidpkg:apk/chainguard/druid-compatpkg:apk/wolfi/druidpkg:apk/wolfi/druid-compatpkg:maven/org.codehaus.jettison/jettisonpkg:rpm/opensuse/jettison&distro=openSUSE%20Tumbleweed
< 35.0.1-r5+ 5 more
- (no CPE)range: < 35.0.1-r5
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 35.0.1-r5
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 1.5.2
- (no CPE)range: < 1.5.3-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7rf3-mqpx-h7xgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-45685ghsaADVISORY
- www.debian.org/security/2023/dsa-5312ghsavendor-advisoryWEB
- github.com/jettison-json/jettison/issues/54ghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00045.htmlghsamailing-listWEB
News mentions
0No linked articles in our index yet.