VYPR
← All advisories
High severityNVD Advisory· Published Sep 1, 2023· Updated Oct 1, 2024

CVE-2023-39685

CVE-2023-39685

Description

Crafted JSON input causes StringIndexOutOfBoundsException in hjson-java up to v3.0.0, enabling denial-of-service via parser crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Crafted JSON input causes StringIndexOutOfBoundsException in hjson-java up to v3.0.0, enabling denial-of-service via parser crash.

Vulnerability

In hjson-java versions up to and including 3.0.0, the HjsonParser.readMlString method can throw a java.lang.StringIndexOutOfBoundsException when parsing malformed JSON input [1]. The root cause is an out-of-bounds array access when handling specific escape sequences or multi-line strings in a corrupted payload [4].

Exploitation

An attacker can trigger the bug by supplying a crafted JSON string, such as [\n[\n=\n[[''''' (as demonstrated in the proof-of-concept) [4]. No authentication or special privileges are required; the vulnerability is reachable when the library parses untrusted input [3]. The parse failure occurs during a call to JsonValue.readHjson() [4].

Impact

Successful exploitation leads to an unhandled exception that crashes the parsing thread, resulting in a denial-of-service condition [1][3]. This can be used to disrupt applications that rely on hjson-java to parse external data, potentially cascading into service downtime [4].

Mitigation

The vulnerability has been fixed in commit aff0b607929b4397d93dc0d029a56aeefb242602 [1]. Users should upgrade to hjson-java version 3.1.0 or later, which includes the patch [2]. No workarounds are documented; parsing untrusted JSON with vulnerable versions is not recommended.

References
  1. Fix out of bounds (#29) · hjson/hjson-java@aff0b60
  2. GitHub - hjson/hjson-java: Hjson for Java
  3. NVD - CVE-2023-39685
  4. java.lang.StringIndexOutOfBoundsException error caused by hjson parsing of untrusted JSON String

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.hjson:hjsonMaven
< 3.0.13.0.1

Affected products

2

Patches

1
aff0b607929b

Fix out of bounds (#29)

https://github.com/hjson/hjson-javatrobroAug 12, 2023via ghsa
commit
1 file changed · +1 1
  • src/main/org/hjson/HjsonParser.java+1 1 modified
    @@ -263,7 +263,7 @@ else if (current=='\'') {
         triple++;
         read();
         if (triple==3) {
-          if (sb.charAt(sb.length()-1)=='\n') sb.deleteCharAt(sb.length()-1);
+          if (sb.length() > 0 && sb.charAt(sb.length()-1)=='\n') sb.deleteCharAt(sb.length()-1);
 
           return sb.toString();
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.