CVE-2023-34615

Vulnerability

CVE-2023-34615 describes a denial-of-service vulnerability in the JSONUtil library up to version 5.0. The JSON parser recursively processes nested structures without enforcing a depth limit, causing a StackOverflowError when parsing deeply nested or cyclic JSON objects [1]. The official description notes that crafted objects using cyclic dependencies can lead to a crash or other unspecified impacts [2].

Exploitation

An attacker can exploit this flaw by supplying a specially crafted JSON string to an application that uses JSONUtil to parse untrusted input. The provided proof-of-concept demonstrates that a deeply nested array (e.g., 9,999 levels) triggers the stack overflow [1]. No authentication or special network position is required; the attack is purely data-driven.

Impact

Successful exploitation results in a denial of service: the Java process terminates with a StackOverflowError, making the application unavailable. The description also mentions “other unspecified impacts,” but the available evidence only confirms the DoS condition [1][2].

Mitigation

As of the publication date, no official patch has been released. Users are advised to avoid using JSONUtil to parse untrusted JSON or to implement input validation that rejects excessively deep or cyclic structures. The library may be unmaintained, so migrating to an alternative JSON parser is recommended.