High severityNVD Advisory· Published Dec 27, 2023· Updated Aug 2, 2024

CVE-2023-51080

Description

The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In hutool-core 5.8.23, NumberUtil.toBigDecimal(String) with non-numeric input like 'NaN' causes infinite recursion leading to StackOverflowError.

Vulnerability

Overview The NumberUtil.toBigDecimal method in hutool-core version 5.8.23 is susceptible to a stack overflow when processing certain non-numeric string inputs like "NaN". The root cause lies in the method's parsing logic, which invokes parseNumber that attempts to format the string using NumberFormat. This process can trigger recursive calls, eventually exhausting the call stack [1][3].

Exploitation

Conditions An attacker can exploit this vulnerability by providing a specially crafted string (e.g., "NaN") to any application that calls NumberUtil.toBigDecimal with untrusted input. No authentication or special network access is required; the attack vector is through the application's input parsing functionality [1].

Impact

Successful exploitation results in a denial of service (DoS) condition due to a StackOverflowError, causing the Java application to crash. The vulnerability does not lead to remote code execution or data leakage.

Mitigation

The issue has been addressed in a subsequent commit (c45b3fcc) that modifies the toBigDecimal method to avoid recursive parsing [3]. Users should upgrade to a patched version of hutool-core (e.g., 5.8.24 or later) or apply the commit manually. As a temporary workaround, input validation can prevent non-numeric strings from reaching the vulnerable method.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cn.hutool:hutool-coreMaven	>= 5.8.22, < 5.8.25	5.8.25

Affected products

hutool-core/hutool-coredescription
ghsa-coords
pkg:maven/cn.hutool/hutool-core
Range: >= 5.8.22, < 5.8.25

Patches

c45b3fccdab4

NumberUtil.toBigDecimal转换科学计数法问题

https://github.com/dromara/hutoolLoolyAug 2, 2023via ghsa

commit

4 files changed · +35 −12

CHANGELOG.md+3 −2 modified

@@ -5,10 +5,11 @@
 # 5.8.22(2023-08-02)
 
 ### 🐣新特性
-* 【core  】      NumberUtil.nullToZero增加重载（issue#I7PPD2@Github）
-* 【core  】      DesensitizedUtil增加清空策略（issue#I7PUJ2@Github）
+* 【core  】      NumberUtil.nullToZero增加重载（issue#I7PPD2@Gitee）
+* 【core  】      DesensitizedUtil增加清空策略（issue#I7PUJ2@Gitee）
 
 ### 🐞Bug修复
+* 【core  】      NumberUtil.toBigDecimal转换科学计数法问题（issue#3241@Github）
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.21(2023-07-29)

hutool-core/src/main/java/cn/hutool/core/util/NumberUtil.java+5 −10 modified

@@ -2240,19 +2240,14 @@ public static BigDecimal toBigDecimal(String numberStr) {
 			return BigDecimal.ZERO;
 		}
 
-		try {
-			// 支持类似于 1,234.55 格式的数字
-			final Number number = parseNumber(numberStr);
-			if (number instanceof BigDecimal) {
-				return (BigDecimal) number;
-			} else {
-				return new BigDecimal(number.toString());
-			}
-		} catch (Exception ignore) {
+		try{
+			return new BigDecimal(numberStr);
+		} catch (Exception ignore){
 			// 忽略解析错误
 		}
 
-		return new BigDecimal(numberStr);
+		// 支持类似于 1,234.55 格式的数字
+		return toBigDecimal(parseNumber(numberStr));
 	}
 
 	/**

hutool-core/src/test/java/cn/hutool/core/convert/Issue3241Test.java+25 −0 added

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2023 looly(loolly@aliyun.com)
+ * Hutool is licensed under Mulan PSL v2.
+ * You can use this software according to the terms and conditions of the Mulan PSL v2.
+ * You may obtain a copy of Mulan PSL v2 at:
+ *          http://license.coscl.org.cn/MulanPSL2
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PSL v2 for more details.
+ */
+
+package cn.hutool.core.convert;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.math.BigDecimal;
+
+public class Issue3241Test {
+	@Test
+	public void toBigDecimalTest() {
+		Assert.assertEquals(new BigDecimal("9.0E+7"), Convert.toBigDecimal("9.0E+7"));
+	}
+}

hutool-core/src/test/java/cn/hutool/core/util/NumberUtilTest.java+2 −0 modified

@@ -249,6 +249,8 @@ public void toBigDecimalTest() {
 
 		bigDecimal = NumberUtil.toBigDecimal("1,234.56D");
 		Assert.assertEquals("1234.56", bigDecimal.toString());
+
+		Assert.assertEquals(new BigDecimal("9.0E+7"), NumberUtil.toBigDecimal("9.0E+7"));
 	}
 
 	@Test

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m5hf-m3r2-xq53ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-51080ghsaADVISORY
github.com/dromara/hutool/commit/c45b3fccdab453bb1c6007b52b18bd2fbdb68e99ghsaWEB
github.com/dromara/hutool/issues/3423ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000