VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 8, 2023· Updated Sep 26, 2024

CVE-2023-42277

CVE-2023-42277

Description

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In hutool v5.8.21, the JSONObject.putByPath method lacks bounds checking on array indices, allowing an attacker to trigger a denial-of-service condition via OutOfMemoryError by passing an overly large index.

Vulnerability

Description

The vulnerability resides in hutool's JSONObject.putByPath method. When a path contains an array index (e.g., ...z.888888888), the method internally creates a JSONArray and calls ListUtil.setOrPadding to ensure the list is large enough to hold the element at the specified index. If the index is excessively large, this padding operation allocates a huge amount of memory, leading to an OutOfMemoryError [1][2][4].

Exploitation

An attacker can exploit this by providing a crafted JSON path containing a very large array index. No authentication or special privileges are required if the application accepts user-controlled JSON paths. The attack does not require any specific network position beyond the ability to supply input to the vulnerable method [4].

Impact

Successful exploitation causes Java heap space exhaustion, resulting in a denial-of-service condition. The application may crash or become unresponsive, affecting availability [2][4].

Mitigation

The issue was fixed in commit 9ba8f9c by adding a bounds check that throws an exception if the index exceeds twice the current list size plus one. Users should upgrade to a version containing this patch (e.g., 5.8.22 or later) or apply the commit manually [3][4].

References
  1. GitHub - chinabugotech/hutool: 🍬A set of tools that keep Java sweet.
  2. NVD - CVE-2023-42277
  3. 修复SONArray的add()方法抛出OutOfMemory异常问题 · chinabugotech/hutool@9ba8f9c
  4. `putByPath()`方法抛出OutOfMemory异常

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cn.hutool:hutool-coreMaven
<= 5.8.21
cn.hutool:hutool-jsonMaven
<= 5.8.21

Affected products

3

Patches

1
9ba8f9ca5dd3

修复SONArray的add()方法抛出OutOfMemory异常问题

https://github.com/dromara/hutoolLoolyAug 30, 2023via ghsa
commit
3 files changed · +11 1
  • CHANGELOG.md+2 1 modified
    @@ -25,7 +25,8 @@
 * 【core  】      修复Ipv4Util.getEndIpLong 取反符号导致数据越界(issue#I7U1OQ@Gitee)
 * 【http  】      修复302重定向时,Location中的问号被转义问题(issue#3265@Github)
 * 【core  】      修复CombinationAnnotationElement判断循环问题(pr#3267@Github)
-* 【core  】      修复StrUtil#containsAny NPE问题问题(pr#1063@Gitee)
+* 【core  】      修复StrUtil#containsAny NPE问题(pr#1063@Gitee)
+* 【all   】      修复SONArray的add()方法抛出OutOfMemory异常问题(issue#3286@Github)
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.21(2023-07-29)
  • hutool-core/src/main/java/cn/hutool/core/collection/ListUtil.java+5 0 modified
    @@ -2,6 +2,7 @@
 
 import cn.hutool.core.comparator.PinyinComparator;
 import cn.hutool.core.comparator.PropertyComparator;
+import cn.hutool.core.exceptions.UtilException;
 import cn.hutool.core.lang.Assert;
 import cn.hutool.core.lang.Matcher;
 import cn.hutool.core.util.ArrayUtil;
@@ -431,6 +432,10 @@ public static <T> List<T> setOrPadding(List<T> list, int index, T element, T pad
 		if (index < size) {
 			list.set(index, element);
 		} else {
+			// issue#3286, 增加安全检查,最多增加2倍
+			if(index > (list.size() + 1) * 2) {
+				throw new UtilException("Index is too large:", index);
+			}
 			for (int i = size; i < index; i++) {
 				list.add(paddingElement);
 			}
  • hutool-json/src/main/java/cn/hutool/json/JSONArray.java+4 0 modified
    @@ -457,6 +457,10 @@ public void add(int index, Object element) {
 			InternalJSONUtil.testValidity(element);
 			this.rawList.add(index, JSONUtil.wrap(element, this.config));
 		} else {
+			// issue#3286, 增加安全检查,最多增加2倍
+			if(index > (this.size() + 1) * 2) {
+				throw new JSONException("Index is too large:", index);
+			}
 			while (index != this.size()) {
 				this.add(JSONNull.NULL);
 			}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.