High severityNVD Advisory· Published Sep 8, 2023· Updated Sep 26, 2024

CVE-2023-42278

Description

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hutool 5.8.21 has a buffer overflow in JSONUtil.parse() that can cause denial of service via crafted JSON input.

CVE-2023-42278 is a denial-of-service vulnerability in Hutool, a Java utility library, versions prior to 5.8.22. The issue resides in the JSONUtil.parse() method, where parsing a specially crafted malformed JSON string can lead to excessive memory consumption and eventual heap exhaustion [1][3]. The root cause is a missing or insufficient bounds check inside the JSON parser, specifically related to how array indices or nested structures are handled during serialization [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious JSON payload containing deeply nested arrays or specific numeric patterns (e.g., {"G":00,[,,[0E5,6E9,...]}) to any application that uses Hutool's JSON parsing functionality [3]. No authentication or special network position is required beyond the ability to deliver an HTTP request or other data source that is processed by JSONUtil.parse(). The attack triggers a buffer overflow condition as the parser recursively attempts to write output without proper size limits, leading to an OutOfMemoryError [3].

Impact

Successful exploitation results in a denial of service (DoS) by exhausting available Java heap space, causing the application to hang or crash [3]. No remote code execution or data tampering has been reported. The vulnerability impacts the availability of systems relying on Hutool's JSON handling.

Mitigation

The vulnerability was fixed in Hutool version 5.8.22, released on 2023-09-05, by adding a validation check (Validator.checkIndexLimit) that restricts the allowed index growth to 10 times the list size, preventing unbounded memory allocation [1]. Users should upgrade to Hutool 5.8.22 or later. No known workarounds have been documented.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cn.hutool:hutool-coreMaven	< 5.8.22	5.8.22
cn.hutool:hutool-jsonMaven	< 5.8.22	5.8.22

Affected products

hutool/hutooldescription
ghsa-coords2 versions
pkg:maven/cn.hutool/hutool-core pkg:maven/cn.hutool/hutool-json
< 5.8.22+ 1 more
- (no CPE)range: < 5.8.22
- (no CPE)range: < 5.8.22

Patches

5c4486b9f58a

修复JSONUtil.parse()溢出问题

https://github.com/dromara/hutoolLoolySep 5, 2023via ghsa

commit

7 files changed · +90 −11

CHANGELOG.md+2 −1 modified

@@ -2,7 +2,7 @@
 # 🚀Changelog
 
 -------------------------------------------------------------------------------------------------------------
-# 5.8.22(2023-09-01)
+# 5.8.22(2023-09-05)
 
 ### 🐣新特性
 * 【core  】      NumberUtil.nullToZero增加重载（issue#I7PPD2@Gitee）
@@ -30,6 +30,7 @@
 * 【core  】      修复fillColumns空指针问题（issue#3284@Github）
 * 【core  】      修复Convert不能转换Optional和Opt问题（issue#I7WJHH@Gitee）
 * 【core  】      修复DateUtil.age年龄计算问题（issue#I7XMYW@Gitee）
+* 【core  】      修复JSONUtil.parse()溢出问题（issue#3289@Github）
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.21(2023-07-29)

hutool-core/src/main/java/cn/hutool/core/collection/ListUtil.java+3 −4 modified

@@ -5,6 +5,7 @@
 import cn.hutool.core.exceptions.UtilException;
 import cn.hutool.core.lang.Assert;
 import cn.hutool.core.lang.Matcher;
+import cn.hutool.core.lang.Validator;
 import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.util.PageUtil;
@@ -432,10 +433,8 @@ public static <T> List<T> setOrPadding(List<T> list, int index, T element, T pad
 		if (index < size) {
 			list.set(index, element);
 		} else {
-			// issue#3286, 增加安全检查，最多增加2倍
-			if(index > (list.size() + 1) * 2) {
-				throw new UtilException("Index is too large:", index);
-			}
+			// issue#3286, 增加安全检查，最多增加10倍
+			Validator.checkIndexLimit(index, list.size());
 			for (int i = size; i < index; i++) {
 				list.add(paddingElement);
 			}

hutool-core/src/main/java/cn/hutool/core/lang/Validator.java+19 −0 modified

@@ -1257,4 +1257,23 @@ public static <T extends CharSequence> T validateCarDrivingLicence(T value, Stri
 		}
 		return value;
 	}
+
+	/**
+	 * 检查给定的index是否超出长度限制，默认检查超出倍数（10倍），此方法主要用于内部，检查包括：
+	 * <ul>
+	 *     <li>数组调用setOrPadding时，最多允许padding的长度</li>
+	 *     <li>List调用setOrPadding时，最多允许padding的长度</li>
+	 *     <li>JSONArray调用setOrPadding时，最多允许padding的长度</li>
+	 * </ul>
+	 *
+	 * @param index 索引
+	 * @param size  数组、列表长度
+	 * @since 5.8.22
+	 */
+	public static void checkIndexLimit(final int index, final int size) {
+		// issue#3286, 增加安全检查，最多增加10倍
+		if (index > (size + 1) * 10) {
+			throw new ValidateException("Index [{}] is too large for size: [{}]", index, size);
+		}
+	}
 }

hutool-json/src/main/java/cn/hutool/json/JSONArray.java+3 −4 modified

@@ -3,6 +3,7 @@
 import cn.hutool.core.bean.BeanPath;
 import cn.hutool.core.collection.CollUtil;
 import cn.hutool.core.lang.Filter;
+import cn.hutool.core.lang.Validator;
 import cn.hutool.core.lang.mutable.Mutable;
 import cn.hutool.core.lang.mutable.MutableObj;
 import cn.hutool.core.lang.mutable.MutablePair;
@@ -457,10 +458,8 @@ public void add(int index, Object element) {
 			InternalJSONUtil.testValidity(element);
 			this.rawList.add(index, JSONUtil.wrap(element, this.config));
 		} else {
-			// issue#3286, 增加安全检查，最多增加2倍
-			if(index > (this.size() + 1) * 2) {
-				throw new JSONException("Index is too large:", index);
-			}
+			// issue#3286, 增加安全检查，最多增加10倍
+			Validator.checkIndexLimit(index, this.size());
 			while (index != this.size()) {
 				this.add(JSONNull.NULL);
 			}

hutool-json/src/main/java/cn/hutool/json/JSONParser.java+2 −1 modified

@@ -1,5 +1,6 @@
 package cn.hutool.json;
 
+import cn.hutool.core.lang.Console;
 import cn.hutool.core.lang.Filter;
 import cn.hutool.core.lang.mutable.Mutable;
 import cn.hutool.core.lang.mutable.MutablePair;
@@ -66,7 +67,7 @@ public void parseTo(JSONObject jsonObject, Filter<MutablePair<String, Object>> f
 					}
 				default:
 					tokener.back();
-					key = tokener.nextValue().toString();
+					key = tokener.nextStringValue();
 			}
 
 			// The key is followed by ':'.

hutool-json/src/main/java/cn/hutool/json/JSONTokener.java+38 −1 modified

@@ -322,6 +322,43 @@ public String nextTo(String delimiters) throws JSONException {
 		}
 	}
 
+	/**
+	 * 获取下一个String格式的值，用户获取key
+	 * @return String格式的值
+	 * @since 5.8.22
+	 */
+	public String nextStringValue(){
+		char c = this.nextClean();
+
+		switch (c) {
+			case '"':
+			case '\'':
+				return this.nextString(c);
+			case '{':
+			case '[':
+				throw this.syntaxError("Sting value must be not begin with a '{' or '['");
+		}
+
+		/*
+		 * Handle unquoted text. This could be the values true, false, or null, or it can be a number.
+		 * An implementation (such as this one) is allowed to also accept non-standard forms. Accumulate
+		 * characters until we reach the end of the text or a formatting character.
+		 */
+
+		final StringBuilder sb = new StringBuilder();
+		while (c >= ' ' && ",:]}/\\\"[{;=#".indexOf(c) < 0) {
+			sb.append(c);
+			c = this.next();
+		}
+		this.back();
+
+		final String string = sb.toString().trim();
+		if (string.isEmpty()) {
+			throw this.syntaxError("Missing value");
+		}
+		return string;
+	}
+
 	/**
 	 * 获得下一个值，值类型可以是Boolean, Double, Integer, JSONArray, JSONObject, Long, or String, or the JSONObject.NULL
 	 *
@@ -366,7 +403,7 @@ public Object nextValue() throws JSONException {
 		this.back();
 
 		string = sb.toString().trim();
-		if (0 == string.length()) {
+		if (string.isEmpty()) {
 			throw this.syntaxError("Missing value");
 		}
 		return InternalJSONUtil.stringToValue(string);

hutool-json/src/test/java/cn/hutool/json/Issue3289Test.java+23 −0 added

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2023 looly(loolly@aliyun.com)
+ * Hutool is licensed under Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ *          http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+package cn.hutool.json;
+
+import org.junit.Test;
+
+public class Issue3289Test {
+	@Test(expected = JSONException.class)
+	public void parseTest() {
+		final String s = "{\"a\":1,[6E962756779]}";
+		JSONUtil.parse(s);
+	}
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rr66-qh5m-w6mxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-42278ghsaADVISORY
github.com/dromara/hutool/commit/5c4486b9f58a83f283868135138f6ff3741b8c12ghsaWEB
github.com/dromara/hutool/issues/3289ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000