CVE-2018-18855: Uncontrolled Resource Consumption in Spray JSON

June 28, 2022 (updated September 30, 2025)

Recursive decent parsers are susceptible too StackOverflowExceptions on too deeply nested structures as currently “open” parsing state is kept on the stack.

References

github.com/advisories/GHSA-ww3v-6xjf-jv28
github.com/spray/spray-json
github.com/spray/spray-json/pull/284
nvd.nist.gov/vuln/detail/CVE-2018-18855
security.snyk.io/vuln/SNYK-JAVA-IOSPRAY-72601

Code Behaviors & Features

Detect and mitigate CVE-2018-18855 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →