CVE-2022-45688 Overview
A stack overflow vulnerability exists in the XML.toJSONObject component of hutool-json v5.8.10 that allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. This vulnerability affects both the Hutool library and the stleary JSON-java library, impacting applications that parse untrusted XML or JSON input using these components.
Critical Impact
Attackers can crash applications by sending specially crafted XML or JSON data, leading to service unavailability and potential cascading failures in dependent systems.
Affected Products
- Hutool hutool version 5.8.10
- stleary json-java (multiple versions)
Discovery Timeline
- 2022-12-13 - CVE CVE-2022-45688 published to NVD
- 2025-09-19 - Last updated in NVD database
Technical Details for CVE-2022-45688
Vulnerability Analysis
This vulnerability is classified under CWE-787 (Out-of-bounds Write), which in this context manifests as a stack overflow condition. The vulnerability occurs when the XML.toJSONObject method processes deeply nested or maliciously crafted XML/JSON structures. The recursive parsing logic does not adequately limit recursion depth, allowing attackers to exhaust the stack memory through excessively nested data structures.
The network-accessible nature of this vulnerability means that any application exposing XML or JSON parsing functionality using the affected libraries can be targeted remotely. No authentication or user interaction is required, making exploitation straightforward for attackers who can submit data to vulnerable endpoints.
Root Cause
The root cause lies in insufficient recursion depth controls within the XML-to-JSON conversion logic. When parsing nested XML elements, the XML.toJSONObject function recursively processes child elements without enforcing a maximum depth limit. This design flaw allows attackers to craft input with extreme nesting levels that consume available stack space, ultimately triggering a StackOverflowError and crashing the Java Virtual Machine thread or process.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying an endpoint that accepts XML or JSON input and processes it using the vulnerable Hutool or JSON-java libraries
- Crafting a malicious payload with deeply nested structures (e.g., thousands of nested XML tags or JSON objects)
- Submitting the payload to the target application
- The recursive parsing exhausts stack memory, causing the application to crash or become unresponsive
The vulnerability affects the availability of the system without impacting confidentiality or integrity, as the attack results in denial of service rather than data exposure or modification.
Detection Methods for CVE-2022-45688
Indicators of Compromise
- Repeated application crashes or StackOverflowError exceptions in logs
- Unusual XML or JSON payloads with extreme nesting depth in request logs
- Elevated memory consumption patterns preceding service failures
- Multiple requests containing deeply nested data structures from the same source
Detection Strategies
- Monitor application logs for java.lang.StackOverflowError exceptions, particularly in XML/JSON parsing code paths
- Implement request payload size and complexity analysis at the web application firewall level
- Deploy runtime application self-protection (RASP) to detect and block recursive parsing abuse
- Review dependency versions to identify usage of hutool-json version 5.8.10 or vulnerable json-java versions
Monitoring Recommendations
- Configure alerting on repeated crash events or high restart frequencies for affected services
- Monitor thread and stack utilization metrics for abnormal patterns
- Implement centralized logging to correlate DoS attempts across distributed systems
- Track input payload characteristics to identify potential exploit attempts
How to Mitigate CVE-2022-45688
Immediate Actions Required
- Update Hutool to a patched version that addresses the recursion depth issue
- Update the stleary JSON-java library to the latest secure version
- Implement input validation to reject excessively nested XML or JSON structures before parsing
- Deploy web application firewall rules to limit request payload complexity
Patch Information
Patching information can be found in the related GitHub issues. The Hutool project has documented this vulnerability in GitHub Issue #2748, and the JSON-java project has addressed it in GitHub Issue #708. Users should review these issues for specific version recommendations and upgrade paths.
Workarounds
- Implement a custom XML/JSON parser wrapper that enforces maximum recursion depth limits
- Use input validation middleware to reject payloads exceeding a reasonable nesting threshold (e.g., 100 levels)
- Consider alternative XML/JSON parsing libraries with built-in recursion protection
- Deploy rate limiting on endpoints that accept XML or JSON input to reduce DoS impact
# Configuration example - Maven dependency update for Hutool
# Update pom.xml to use a patched version (check GitHub for latest secure version)
# <dependency>
# <groupId>cn.hutool</groupId>
# <artifactId>hutool-json</artifactId>
# <version>[LATEST_SECURE_VERSION]</version>
# </dependency>
# Verify current dependency versions
mvn dependency:tree | grep -E "(hutool|json-java)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
