CVE-2023-34613

Vulnerability

CVE-2023-34613 describes a denial-of-service vulnerability in the sojo library (up to version 1.1.1). The issue is triggered when the library's JSON parser processes a crafted object containing cyclic dependencies. The recursive parsing algorithm does not detect cycles, leading to unbounded recursion and a stack overflow [2].

Exploitation

An attacker can exploit this issue by supplying a specially crafted JSON string—specifically one that creates a circular reference—to any application that uses sojo to parse untrusted JSON input. No authentication is required beyond the ability to deliver the malicious payload to the parser. The stack overflow occurs in JsonParserGenerate.java during the parsing of arrays and values [2].

Impact

Successful exploitation results in a StackOverflowError, causing the Java process to crash. This constitutes a denial of service. The official description notes that other unspecified impacts may also be possible, but no further details are provided [1].

Mitigation

As of the publication date (2023-06-14), the sojo project appears to be archived or no longer actively maintained. There is no indication of a patched version. Users of sojo should migrate to an alternative JSON parsing library to avoid this denial-of-service risk [1].