VYPR
← All advisories
High severityNVD Advisory· Published Oct 12, 2023· Updated Feb 13, 2025

DoS Vulnerability in JSON-Java

CVE-2023-5072

Description

JSON-Java up to 20230618 has a parser bug where an embedded null byte (\0) is confused with EOF, causing unbounded memory allocation and denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

JSON-Java up to 20230618 has a parser bug where an embedded null byte (\0) is confused with EOF, causing unbounded memory allocation and denial of service.

Vulnerability

Description

CVE-2023-5072 is a denial-of-service (DoS) vulnerability in the JSON-Java (org.json) library up to version 20230618. The root cause is a parser bug where the null character (\0) is indistinguishable from the end-of-file (EOF) marker in the tokenizer [1][2]. This confusion leads the parser to skip past valid content, continuing to read and allocate memory indefinitely when processing a specially crafted JSON input of modest size [1].

Exploitation

An attacker can exploit this by supplying a JSON string containing embedded null characters. No authentication is required; the vulnerability is triggered solely by parsing the malicious input. The issue is tracked in GitHub issue #758, and a fix was proposed in pull request #759, which changes the parser to properly detect embedded \0 values instead of treating them as EOF [2][4].

Impact

Successful exploitation results in uncontrolled memory consumption, leading to an OutOfMemoryError and denial of service for any application using the affected library to parse untrusted JSON data [1][2]. The impact is limited to availability; confidentiality and integrity are not affected.

Mitigation

The vulnerability is fixed in release 20231013 and later, with the patch merged via pull request #759 [3][4]. Users should upgrade to a patched version immediately. There is no known workaround short of sanitizing input to remove null bytes, which is not recommended as a permanent solution.

References
  1. NVD - CVE-2023-5072
  2. Confusion between `\0` and EOF can lead to OutOfMemoryError
  3. GitHub - stleary/JSON-java: A reference implementation of a JSON package in Java.
  4. JSON parsing should detect embedded `\0` values by eamonnmcmanus · Pull Request #759 · stleary/JSON-java

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.json:jsonMaven
< 2023101320231013

Affected products

4

Patches

1
60662e2f8384

Merge pull request #759 from eamonnmcmanus/eofnull

https://github.com/stleary/JSON-javaSean LearyAug 5, 2023via ghsa
commit
2 files changed · +12 0
  • src/main/java/org/json/JSONObject.java+3 0 modified
    @@ -256,6 +256,9 @@ public JSONObject(JSONTokener x) throws JSONException {
                 if (x.nextClean() == '}') {
                     return;
                 }
+                if (x.end()) {
+                    throw x.syntaxError("A JSONObject text must end with '}'");
+                }
                 x.back();
                 break;
             case '}':
  • src/test/java/org/json/junit/JSONObjectTest.java+9 0 modified
    @@ -2225,6 +2225,15 @@ public void jsonObjectParsingErrors() {
                     "Expected a ',' or '}' at 15 [character 16 line 1]",
                     e.getMessage());
         }
+        try {
+            // \0 after ,
+            String str = "{\"myKey\":true, \0\"myOtherKey\":false}";
+            assertNull("Expected an exception",new JSONObject(str));
+        } catch (JSONException e) {
+            assertEquals("Expecting an exception message",
+                    "A JSONObject text must end with '}' at 15 [character 16 line 1]",
+                    e.getMessage());
+        }
         try {
             // append to wrong key
             String str = "{\"myKey\":true, \"myOtherKey\":false}";

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

1