CVE-2023-34612

Vulnerability

Description

An issue in ph-json through version 9.5.5 allows attackers to cause a denial of service (DoS) by providing a crafted JSON object with cyclic dependencies [1]. The root cause is insufficient depth or cycle detection during JSON parsing, leading to a stack overflow error [1]. The official description confirms the issue allows unspecified impacts, but the primary evidence shows a StackOverflowError [1][2].

Exploitation

Conditions

Exploitation requires the attacker to supply untrusted JSON input to a service using ph-json. No authentication is needed if the parser runs on user-supplied data [1]. The attack is triggered by nesting arrays or objects in a cycle, causing infinite recursion in methods like _readArray and _readValue [1]. The overflow trace shows repeated calls in the JSON parser, eventually exhausting the call stack [1].

Impact

A successful attack results in a crash of the Java application parsing the JSON, causing a denial of service [1]. The vulnerability does not appear to enable arbitrary code execution or data leakage based on available references [1][2]. The NVD entry references the GitHub issue as the primary source but does not provide further impact details [2].

Mitigation

The issue is reported in the ph-commons GitHub repository, but as of the publication date (2023-06-14), no patch is mentioned in the references [1][2][3]. Users should consider validating or sanitizing JSON input before parsing, or limiting recursion depth. The maintainer was notified via the GitHub issue but a response is not documented in the provided sources.