Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray
Description
Jettison JSON library has an infinite recursion vulnerability when constructing a JSONArray from a self-referencing Collection, causing a StackOverflowError.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jettison JSON library has an infinite recursion vulnerability when constructing a JSONArray from a self-referencing Collection, causing a StackOverflowError.
Vulnerability
Description
CVE-2023-1436 is an infinite recursion vulnerability in the Jettison JSON library. The root cause lies in the JSONArray constructor, which does not detect circular references when building from a Collection. If an element of the collection contains a reference back to the collection itself, the recursive traversal never terminates, leading to a StackOverflowError [1].
Exploitation
An attacker can exploit this by providing a crafted JSON payload or a Collection with self-references to an application that uses Jettison to parse untrusted data. No authentication is required if the application processes user-supplied input. The attack surface includes any service that deserializes JSON into JSONArray objects using Jettison [1][2].
Impact
The primary impact is denial of service (DoS) via stack overflow, causing the application to crash. There is no evidence of remote code execution or data exfiltration. The vulnerability can be triggered repeatedly to disrupt availability [1].
Mitigation
The issue is fixed in Jettison version 1.5.4 [3]. The fix introduces default recursion depth limits (500) and array length limits (1,000,000) to prevent excessive stack usage [4]. Users should upgrade to the latest version or apply input validation to reject deeply nested or self-referential structures.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.codehaus.jettison:jettisonMaven | < 1.5.4 | 1.5.4 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/druidpkg:apk/chainguard/druid-compatpkg:apk/wolfi/druidpkg:apk/wolfi/druid-compatpkg:maven/org.codehaus.jettison/jettisonpkg:rpm/opensuse/jettison&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/jettison&distro=openSUSE%20Tumbleweed
< 35.0.1-r5+ 6 more
- (no CPE)range: < 35.0.1-r5
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 35.0.1-r5
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 1.5.4
- (no CPE)range: < 1.5.4-150200.3.7.1
- (no CPE)range: < 1.5.4-1.1
- jettison/jettisonv5Range: 0
Patches
2a77ffc4a70e9[maven-release-plugin] prepare release jettison-1.5.4
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -2,7 +2,7 @@ <modelVersion>4.0.0</modelVersion> <groupId>org.codehaus.jettison</groupId> <artifactId>jettison</artifactId> - <version>1.5.4-SNAPSHOT</version> + <version>1.5.4</version> <packaging>bundle</packaging> <name>Jettison</name> <description>A StAX implementation for JSON.</description> @@ -31,7 +31,7 @@ <connection>scm:git:http://github.com/jettison-json/jettison.git</connection> <developerConnection>scm:git:https://github.com/jettison-json/jettison.git</developerConnection> <url>https://github.com/jettison-json/jettison</url> - <tag>HEAD</tag> + <tag>jettison-1.5.4</tag> </scm> <distributionManagement> <snapshotRepository>
c20a8be23f69Fixing issue 60
2 files changed · +32 −9
src/main/java/org/codehaus/jettison/json/JSONArray.java+17 −9 modified@@ -182,22 +182,30 @@ public JSONArray(String string) throws JSONException { * @throws JSONException If there is a syntax error. */ public JSONArray(Collection collection) throws JSONException { + this(collection, 0); + } + + private JSONArray(Collection collection, int recursionDepth) throws JSONException { + if (recursionDepth > JSONObject.getGlobalRecursionDepthLimit()) { + throw new JSONException("JSONArray has reached recursion depth limit of " + + JSONObject.getGlobalRecursionDepthLimit()); + } + this.myArrayList = (collection == null) ? new ArrayList() : new ArrayList(collection); // ensure a pure hierarchy of JSONObjects and JSONArrays for (ListIterator iter = myArrayList.listIterator(); iter.hasNext();) { - Object e = iter.next(); - if (e instanceof Collection) { - iter.set(new JSONArray((Collection) e)); - } - if (e instanceof Map) { - iter.set(new JSONObject((Map) e)); - } - } + Object e = iter.next(); + if (e instanceof Collection) { + iter.set(new JSONArray((Collection) e, recursionDepth + 1)); + } + if (e instanceof Map) { + iter.set(new JSONObject((Map) e)); + } + } } - /** * Get the object value associated with an index. * @param index
src/test/java/org/codehaus/jettison/json/JSONArrayTest.java+15 −0 modified@@ -2,6 +2,9 @@ import junit.framework.TestCase; +import java.util.ArrayList; +import java.util.List; + public class JSONArrayTest extends TestCase { public void testInvalidArraySequence() throws Exception { try { @@ -67,6 +70,18 @@ public void testInfiniteLoop2() { public void testIssue52() throws JSONException { JSONObject.setGlobalRecursionDepthLimit(10); new JSONArray("[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {a:10}]"); + JSONObject.setGlobalRecursionDepthLimit(500); + } + + // https://github.com/jettison-json/jettison/issues/60 + public void testIssue60() throws JSONException { + List<Object> list = new ArrayList<>(); + list.add(list); + try { + new JSONArray(list); + } catch (JSONException ex) { + assertEquals(ex.getMessage(), "JSONArray has reached recursion depth limit of 500"); + } } }
Vulnerability mechanics
Root cause
"Missing recursion-depth guard in JSONArray(Collection) constructor allows infinite recursion when a collection element contains a self-reference."
Attack vector
An attacker crafts a Collection (e.g., a List) where one element is the collection itself, creating a circular reference. When this collection is passed to the JSONArray constructor, the constructor iterates over elements and recursively wraps any nested Collection in a new JSONArray. Because the self-referencing element is the same collection, this recursion never terminates, causing a StackOverflowError. The attacker does not need authentication; the only precondition is that the application passes attacker-controlled collection data to the JSONArray constructor [patch_id=1641142].
Affected code
The vulnerable code is the public JSONArray(Collection) constructor in src/main/java/org/codehaus/jettison/json/JSONArray.java. It recursively wraps nested Collection elements in new JSONArray instances without any depth limit, enabling infinite recursion on self-referencing collections [patch_id=1641142].
What the fix does
The patch adds a private JSONArray(Collection, int) constructor that accepts a recursionDepth parameter. Before processing elements, it checks whether recursionDepth exceeds JSONObject.getGlobalRecursionDepthLimit() and throws a JSONException if so. The public JSONArray(Collection) constructor delegates to this new constructor with depth 0, and recursive calls for nested Collection elements pass recursionDepth + 1. This bounds the recursion depth and converts the uncontrolled StackOverflowError into a controlled JSONException [patch_id=1641142].
Preconditions
- inputAttacker must supply a Collection that contains a self-reference (e.g., a List that contains itself as an element).
- configThe application must pass the attacker-controlled Collection to the JSONArray constructor.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q6g2-g7f3-rr83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-1436ghsaADVISORY
- github.com/jettison-json/jettison/issues/60ghsaWEB
- github.com/jettison-json/jettison/pull/62ghsaWEB
- github.com/jettison-json/jettison/releases/tag/jettison-1.5.4ghsaWEB
- research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911ghsaWEB
- research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/mitre
News mentions
0No linked articles in our index yet.