CVE-2023-1370
Denial of Service vulnerability in json-smart (Maven)
What is CVE-2023-1370 About?
This vulnerability is a Denial of Service (DoS) in `net.minidev:json-smart` due to a `StackOverflowError` when parsing deeply nested JSON. The absence of a nesting limit causes stack exhaustion and crashes the software. It is relatively easy to exploit with a crafted JSON payload.
Affected Software
Technical Details
The Denial of Service vulnerability in net.minidev:json-smart (affected versions are before 2.4.9) arises from the parser's recursive handling of deeply nested JSON arrays or objects. When the parser encounters '[' or '{' characters, it recursively calls itself to parse the array or object. Critically, there is no depth limit implemented for this recursion. An attacker can supply a specially crafted JSON input containing an excessively deep structure of nested arrays or objects. This recursive parsing consumes the call stack until it is exhausted, leading to a StackOverflowError and crashing the application, resulting in a denial of service.
What is the Impact of CVE-2023-1370?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application unresponsive or crashing it.
What is the Exploitability of CVE-2023-1370?
Exploitation requires the ability to submit JSON input to an application using the vulnerable net.minidev:json-smart library. The complexity is low, as it primarily involves crafting a JSON payload with a very deep nesting structure (e.g., [[[[...]]]]). No specific authentication or elevated privileges are typically required if the JSON input is processed by a publicly accessible endpoint. This is generally a remote attack. The main constraint is that the application must be susceptible to processing untrusted JSON without depth limitations. Risk factors include exposing JSON parsing functionality to arbitrary user input without implementing maximum depth checks or input size limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-1370?
About the Fix from Resolved Security
This patch introduces a hard limit of 400 for the nesting depth of JSON objects and arrays in the JSON parser, throwing a specific error if the limit is exceeded. By preventing excessive or deeply nested structures, it protects against stack overflow and denial-of-service attacks due to malicious payloads, thus fixing vulnerability CVE-2023-1370.
Available Upgrade Options
- net.minidev:json-smart
- <2.4.9 → Upgrade to 2.4.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-1370
- https://osv.dev/vulnerability/GHSA-493p-pfq6-5258
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a
- https://github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8
- https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.cve.org/CVERecord?id=CVE-2023-1370
- https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258
- https://github.com/netplex/json-smart-v2/issues/137
What are Similar Vulnerabilities to CVE-2023-1370?
Similar Vulnerabilities: CVE-2022-42004 , CVE-2022-42003 , CVE-2023-26144 , CVE-2023-25153 , CVE-2020-14195
