CVE-2023-34616

Root

Cause

The pbjson library (through version 0.4.0) implements JSON parsing using recursive descent without a depth limit or cycle detection. When processing JSON input with deeply nested arrays or objects, or structures containing cyclic references, the parser recurses indefinitely, exhausting the Java call stack and triggering a StackOverflowError [1][2].

Exploitation

An attacker can send a specially crafted JSON document to any application that uses pbjson to parse untrusted input. The proof-of-concept provided in the public issue tracker demonstrates that a deeply nested JSON array (e.g., 9,999 levels of [...) causes the crash [2]. Cyclic dependencies—where a JSON object references itself—similarly produce infinite recursion, as the parser follows references without tracking visited nodes.

Impact

Successful exploitation results in a denial of service (DoS): the parsing thread crashes, potentially terminating the application or service. No authentication is required if the parser is exposed to unauthenticated input, making this a low-complexity attack with high availability impact.

Mitigation

As of the publication date (2023‑06‑14), no patch has been released for pbjson. Users should avoid parsing untrusted JSON with this library, implement an external depth limit, or migrate to a maintained JSON parser that includes recursion safeguards.