CVE-2022-45688
stack overflow vulnerability in json (Maven)
What is CVE-2022-45688 About?
This vulnerability is a stack overflow in the XML.toJSONObject component of Hutool-JSON and org.json library. It can be triggered by specially crafted JSON or XML data, leading to a denial of service. Exploitation is relatively easy as it only requires sending malformed data.
Affected Software
- cn.hutool:hutool-json
- <5.8.25
- org.json:json
- <20230227
Technical Details
The vulnerability exists in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227. An attacker can craft a deeply nested or recursive JSON or XML data structure. When this malformed data is processed by the XML.toJSONObject function, it causes excessive recursion during parsing. This excessive recursion consumes the call stack memory, leading to a stack overflow. The subsequent exhaustion of the stack memory results in a program crash and a denial of service for the affected application.
What is the Impact of CVE-2022-45688?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or service unavailable to legitimate users.
What is the Exploitability of CVE-2022-45688?
Exploitation is of low complexity. The primary prerequisite is the ability to submit crafted JSON or XML data to an application that uses the vulnerable XML.toJSONObject component. No specific authentication or high privileges are required, as the vulnerability typically resides in data parsing functionality. This is a remote vulnerability, as an attacker can send the malicious data over a network. The special condition is the application's reliance on the affected versions of hutool-json or org.json:json and its exposure of an endpoint that processes XML or JSON input. The risk of exploitation is high if the vulnerable component is part of an exposed API or service.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| scabench | Link | simple application with a CVE-2022-45688 vulnerability |
| scabench | Link | simple application with a CVE-2022-45688 vulnerability |
| scabench | Link | simple application with a (unreachable!) CVE-2022-45688 vulnerability |
What are the Available Fixes for CVE-2022-45688?
About the Fix from Resolved Security
The patch introduces a configurable maximum nesting depth for XML parsing, which throws an exception if this depth is exceeded during the conversion of XML to JSON/JSONML. This directly addresses CVE-2022-45688, which is a stack exhaustion (stack overflow) vulnerability caused by parsing deeply nested XML, by limiting recursion and thereby preventing denial-of-service attacks resulting from unbounded stack usage.
Available Upgrade Options
- cn.hutool:hutool-json
- <5.8.25 → Upgrade to 5.8.25
- org.json:json
- <20230227 → Upgrade to 20230227
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/dromara/hutool/commit/6a2b585de0a380e8c12016dbaa1620b69be11b8c
- https://github.com/dromara/hutool/issues/2748
- https://github.com/stleary/JSON-java/commit/a6e412bded7a0ad605adfeca029318f184c32102
- https://osv.dev/vulnerability/GHSA-3vqj-43w4-2q58
- https://github.com/stleary/JSON-java/issues/708
- https://github.com/stleary/JSON-java/issues/708
- https://github.com/dromara/hutool/issues/2748
- https://nvd.nist.gov/vuln/detail/CVE-2022-45688
- https://github.com/dromara/hutool/releases/tag/5.8.25
What are Similar Vulnerabilities to CVE-2022-45688?
Similar Vulnerabilities: CVE-2021-36159 , CVE-2021-38185 , CVE-2020-2569 , CVE-2020-15389 , CVE-2019-15886
