CVE-2023-34610

Vulnerability

Description json-io is a Java serialization library that converts Java objects to JSON, JSON5, and TOON. The library's parser (JsonParser) recursively processes nested objects and arrays without depth limitation. When parsing a crafted JSON string that contains deeply nested arrays or cyclic dependencies, the recursion exhausts the call stack, resulting in a StackOverflowError. This issue affects versions up to and including 4.14.0 [3].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted JSON document, such as one containing a deeply nested array (e.g., 9999 levels deep) to any application that uses json-io to parse untrusted user input. The attack requires no prior authentication and can be delivered over the network if the application processes JSON from external sources [3].

Impact

Successful exploitation leads to a denial of service (DoS) as the Java application crashes due to a stack overflow. The official CVE description also mentions potential for other unspecified impacts, but the primary observed effect is service disruption [3].

Mitigation

The vulnerability has been addressed in json-io version 4.14.1, which introduces limits on parsing depth to prevent stack overflow [2]. Users are strongly advised to upgrade to this version or later. As a workaround, applications can implement input validation to reject JSON documents with excessive nesting levels.