CVE-2022-45693

Vulnerability

Details

CVE-2022-45693 is a stack overflow vulnerability in Jettison, a Java library for converting between XML and JSON. The issue resides in the JSONObject constructor when processing a Map parameter. If the map contains a self-referencing entry (i.e., the map value is the map itself), the recursive serialization logic in Jettison will continue indefinitely, causing a StackOverflowError [1][3]. This occurs because the library lacks a depth or recursion check for self-referencing maps before the fix in version 1.5.2 [1].

Attack

Vector

The vulnerability can be triggered by providing a crafted string that, when parsed, produces a map with a self-referential structure. The official proof-of-concept shows that a HashMap<String,Object> with an entry pointing to itself, passed to new JSONObject(map), immediately triggers a stack overflow [3]. An attacker can exploit this remotely by sending malformed JSON data if the target application uses Jettison to deserialize untrusted input without adequate validation.

Impact

Successful exploitation results in a Denial of Service (DoS) condition. The StackOverflowError crashes the JVM thread processing the request, making the application unresponsive [1]. Since no authentication is required to send the malicious payload (if the endpoint is accessible), this vulnerability poses a significant availability risk to services that accept and parse JSON using Jettison [1].

Mitigation

The vulnerability is fixed in Jettison version 1.5.2, which introduced a recursion depth limit in JSONObject (default 500) to prevent such self-referencing loops [2]. Users should upgrade to version 1.5.2 or later. If immediate upgrade is not possible, a workaround is to apply input validation that detects deeply nested or self-referential structures before passing data to Jettison [1][2].