CVE-2023-35110

Vulnerability

Overview An issue in jjson versions up through 0.1.7 allows attackers to trigger a denial of service by supplying a crafted object with cyclic dependencies [1]. The root cause is a missing cycle-detection mechanism during JSON serialization: when the encoder encounters a map that directly or indirectly references itself, the recursive encoding algorithm enters infinite recursion [2].

Exploitation

Prerequisites The attack requires the ability to provide a specially crafted Map object to jjson’s serialization routines. No authentication is needed if the library processes untrusted input; the attacker simply needs to make the application serialize a self-referencing data structure (e.g., a map that contains itself as a value). The exploit does not depend on network position beyond sending the crafted payload [2].

Impact

A successful exploit causes a stack overflow error (java.lang.StackOverflowError) that crashes the JVM process, resulting in a denial of service [2]. The CVE description also mentions “other unspecified impacts,” but available references only confirm the availability impact [1][3].

Mitigation

The vulnerability was fixed in version 0.1.7; users should upgrade to the latest release [1]. No official workaround has been published, but applications can mitigate risk by avoiding serialization of untrusted objects with cyclic references until patched.