Parsson DoS when parsing numbers from untrusted sources
Description
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.parsson:projectMaven | >= 1.1.0, < 1.1.4 | 1.1.4 |
org.eclipse.parsson:projectMaven | < 1.0.5 | 1.0.5 |
Affected products
2- Eclipse Foundation/Parssonv5Range: 0
Patches
Vulnerability mechanics
Root cause
"Missing absolute-value check on BigDecimal scale allows negative scales with large magnitude to bypass the size limit, leading to excessive iteration in BigInteger conversion."
Attack vector
An attacker supplies a JSON document containing a number with a very large positive or negative scale (e.g., a `BigDecimal` with scale -100001). When the application calls `bigIntegerValue()` or `bigIntegerValueExact()` on the parsed `JsonNumber`, the unchecked scale causes Java's `BigDecimal.toBigInteger()` to perform an excessive number of iterations, consuming disproportionate CPU time. This constitutes a denial-of-service vector via untrusted JSON input [CWE-20] [CWE-834]. No authentication is required if the parser is exposed to unauthenticated data sources.
Affected code
The vulnerability resides in `JsonNumberImpl.java` in the `bigIntegerValue()` and `bigIntegerValueExact()` methods. These methods compared the raw `bd.scale()` value against a limit without taking the absolute value, so a negative scale (e.g., -100001) would pass the check `bd.scale() <= bigIntegerScaleLimit` and allow excessive processing. The patch also updates `JsonConfig.java` to clarify that the limit applies to the absolute value of the scale.
What the fix does
The patch in `JsonNumberImpl.java` changes the scale check from `bd.scale() <= bigIntegerScaleLimit` to `Math.abs(bd.scale()) <= bigIntegerScaleLimit` in both `bigIntegerValue()` and `bigIntegerValueExact()`. This ensures that negative scale values (which can be arbitrarily large in magnitude) are also capped. The error message is moved to a localized resource bundle (`JsonMessages.NUMBER_SCALE_LIMIT_EXCEPTION`) and now refers to the "absolute value" of the scale. Corresponding test cases (`testDefaultBigIntegerNegScaleAboveLimit`, `testConfigBigIntegerNegScaleAboveLimit`, `testSystemPropertyBigIntegerNegScaleAboveLimit`) verify that negative scales above the limit are rejected [patch_id=1640649].
Preconditions
- inputThe application must parse untrusted JSON input using Eclipse Parsson and subsequently call bigIntegerValue() or bigIntegerValueExact() on a JsonNumber with a large scale.
- authNo authentication or special configuration is required; the default scale limit of 100000 is in effect.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.