CVE-2024-47855
Description
util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-47855: JSON-lib before 3.1.0 mishandles unbalanced comment strings in util/JSONTokener.java, potentially causing denial of service.
Vulnerability
Overview CVE-2024-47855 affects the JSON-lib library prior to version 3.1.0. The vulnerability resides in the util/JSONTokener.java component, which fails to properly handle an unbalanced comment string during parsing [1]. This can lead to unexpected behavior when processing specially crafted JSON input containing malformed comments.
Exploitation
Scenario An attacker can exploit this issue by supplying a JSON input that includes an unbalanced comment string (e.g., a comment start marker without a corresponding end marker). No authentication is required, and the attack can be performed over the network if the application parses untrusted JSON data using the affected library [3]. The vulnerable code path is triggered during tokenization, which occurs before further JSON processing.
Impact
Successful exploitation could cause the JSON-Tokener to enter an invalid state, potentially leading to a denial-of-service condition, such as excessive resource consumption or application crash [3]. The CVSS v3 base score is 5.3 (Medium), reflecting the low complexity and network attack vector, with a primary impact on availability [3].
Mitigation
The issue is fixed in JSON-lib version 3.1.0. Users should upgrade to this version or later to remediate the vulnerability [1][2]. The fix is included in the commit referenced by the vendor and in the release comparison between versions 3.0.3 and 3.1.0 [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.kordamp.json:json-lib-coreMaven | < 3.1.0 | 3.1.0 |
net.sf.json-lib:json-libMaven | <= 2.4 | — |
Affected products
1Patches
2a0c4a0eae277fix: Handle unbalanced comment string
2 files changed · +11 −0
subprojects/json-lib-core/src/main/java/org/kordamp/json/util/JSONTokener.java+2 −0 modified@@ -203,6 +203,8 @@ public char nextClean() { if (c == '*') { if (next() == '/') { break; + } else if (!more()) { + return 0; } back(); }
subprojects/json-lib-core/src/test/java/org/kordamp/json/TestJSONSerializer.java+9 −0 modified@@ -144,6 +144,15 @@ public void testToJava_JSONObject_4() { assertEquals(beanB.getValue(), ((ValueBean) bb).getValue()); } + public void testToJava_JSONObject_5() throws Exception { + try { + JSONObject.fromObject("/**"); + fail("Should have thrown a JSONException"); + } catch (JSONException expected) { + // ok + } + } + public void testToJava_JSONObject_and_reset() throws Exception { String json = "{bool:true,integer:1,string:\"json\"}"; JSONObject jsonObject = JSONObject.fromObject(json);
54fa5e835b2fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-wwcp-26wc-3fxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47855ghsaADVISORY
- github.com/kordamp/json-lib/blob/35a1f2aa22bac260438c0cf2399549311b5a21aa/pom.xmlghsaWEB
- github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78envdWEB
- github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0nvdWEB
- sourceforge.net/projects/json-libghsaWEB
News mentions
1- Jenkins Security Advisory 2024-11-27Jenkins Security Advisories · Nov 27, 2024