CVE-2023-34617

Vulnerability

Overview The vulnerability in Genson (versions through 1.6) is a denial of service (DoS) condition caused by a stack overflow error during deserialization of specially crafted JSON input [1][2]. The root cause is that Genson does not enforce a limit on the depth of nested objects or arrays, allowing an attacker to supply a payload with excessive nesting (e.g., 9999 levels) that exhausts the call stack [2].

Exploitation

Details An attacker can exploit this by sending a JSON document with deeply nested arrays or objects to any application that uses Genson to parse untrusted JSON [2]. No authentication is required if the vulnerable endpoint is exposed publicly. The provided proof of concept demonstrates how to trigger the overflow with a nested structure of arrays [2].

Impact

Successful exploitation leads to a stack overflow crash, resulting in a denial of service for the affected service [2]. The official description also mentions possible other unspecified impacts [3].

Mitigation

Status As of the vulnerability disclosure, no patched version has been released for CVE-2023-34617; the issue remains open in the Genson repository [1][2]. Users should consider input validation, restricting nesting depth, or using an alternative JSON library until a fix is available.