High severity7.5NVD Advisory· Published Mar 22, 2023· Updated Jun 17, 2026
CVE-2023-1370
CVE-2023-1370
Description
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.minidev:json-smartMaven | < 2.4.9 | 2.4.9 |
Affected products
35- osv-coords34 versionspkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/druidpkg:apk/chainguard/elasticsearch-7pkg:apk/chainguard/elasticsearch-8pkg:apk/chainguard/elasticsearch-8-bitnamipkg:apk/chainguard/elasticsearch-8-configpkg:apk/chainguard/elasticsearch-8-iamguardedpkg:apk/chainguard/elasticsearch-configpkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/hadoop-fips-3.3.6pkg:apk/chainguard/sonarqube-10pkg:apk/chainguard/sonarqube-10-docker-compatpkg:apk/chainguard/sonarqube-10-scriptspkg:apk/chainguard/spark-3.5.0-compatpkg:apk/chainguard/spark-3.5.0-compat-minimalpkg:apk/chainguard/stargatepkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/druidpkg:apk/wolfi/sonarqube-10pkg:apk/wolfi/sonarqube-10-docker-compatpkg:apk/wolfi/sonarqube-10-scriptspkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:maven/net.minidev/json-smart
< 0.5.4-r26+ 33 more
- (no CPE)range: < 0.5.4-r26
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 7.17.14-r2
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 3.3.6-r7
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.0.79-r2
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 0.5.4-r26
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 3.7-r4
- (no CPE)range: < 2.4.9
- Range: 0
Patches
Vulnerability mechanics
References
12- research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/nvdExploitThird Party Advisory
- github.com/advisories/GHSA-493p-pfq6-5258ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-1370ghsaADVISORY
- github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87aghsaWEB
- github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8ghsaWEB
- github.com/netplex/json-smart-v2/issues/137ghsaWEB
- github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258ghsaWEB
- research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633ghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748ghsaWEB
- www.cve.org/CVERecordghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006/nvd
News mentions
0No linked articles in our index yet.