A denial of service vulnerability in JSON-Java was discovered by ClusterFuzz. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does …
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Decoding invalid JSON data can cause the JVM to hang in an infinite loop leading to a Denial of Service and high CPU consumption.
Decoding of invalid/partial JSON data such as [ causes the JVM to crash with an java.lang.StackOverflowError exception.
Denial of Service attacks are possible through decoding crafted JSON data triggering a java.lang.OutOfMemoryError exception.
A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.