Advisories for Maven/Org.json/Json package

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

Decoding invalid JSON data can cause the JVM to hang in an infinite loop leading to a Denial of Service and high CPU consumption.

Decoding of invalid/partial JSON data such as [ causes the JVM to crash with an java.lang.StackOverflowError exception.

Denial of Service attacks are possible through decoding crafted JSON data triggering a java.lang.OutOfMemoryError exception.

A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of allows attackers to cause a Denial of Service (DoS) via crafted JSON data.

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.