CVE-2023-33546

Root

Cause

Janino versions 3.1.9 and earlier contain a denial-of-service vulnerability triggered through the expression evaluator's guessParameterName method. When the parser processes deeply nested or crafted input, it can exhaust the call stack, leading to a StackOverflowError and application crash. The stack trace shows recursive parsing in methods like parsePrimary, parseUnaryExpression, and others, confirming the recursive descent parser's lack of depth limits [2].

Exploitation

An attacker can cause a denial-of-service by supplying specially crafted Java expression input to an application that uses Janino's expression evaluator to parse user-supplied content. No authentication is required if the vulnerable component is exposed to untrusted users, but the attack is dependent on the parser being invoked with attacker-controlled data [1][3].

Impact

Successful exploitation results in a denial of service due to a stack overflow, causing the Java process to terminate or become unresponsive. The vulnerability does not allow code execution or data exfiltration, but can be used to disrupt availability of services relying on Janino for expression evaluation [3].

Mitigation

As of Janino 3.1.9, no patch has been released to fix this issue. The project maintainers and multiple parties dispute the vulnerability, noting that Janino is not designed for use with untrusted input [1][3]. Organizations should avoid exposing the expression evaluator to user-supplied content. If untrusted input must be processed, input sanitization, depth limiting, or sandboxing should be implemented as a workaround [3][4].