CVE-2023-1370 Overview
Json-smart is a performance-focused JSON processor library for Java. A critical stack exhaustion vulnerability has been discovered in the library's JSON parsing functionality. When the parser encounters '[' or '{' characters in JSON input, it processes arrays or objects respectively using recursive parsing. The vulnerability stems from the absence of any depth limit for nesting these structures, allowing attackers to craft malicious JSON payloads with excessive nesting that triggers a stack overflow and crashes the application.
Critical Impact
Unauthenticated attackers can remotely crash applications using Json-smart by sending specially crafted JSON with deeply nested structures, causing denial of service without requiring any user interaction.
Affected Products
- Json-smart_project Json-smart (all versions prior to patched releases)
Discovery Timeline
- 2023-03-22 - CVE CVE-2023-1370 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-1370
Vulnerability Analysis
This vulnerability is classified as CWE-674 (Uncontrolled Recursion), a dangerous pattern where recursive function calls lack proper depth controls. The Json-smart library's parsing implementation processes nested JSON structures through recursive method calls. Each nested array ([) or object ({) in the JSON input triggers a new level of recursion on the call stack.
Since there is no maximum nesting depth enforced by the parser, an attacker can construct a JSON payload with thousands of nested brackets. When the parser attempts to process such input, each nesting level consumes stack memory until the Java Virtual Machine's stack space is exhausted, resulting in a StackOverflowError that terminates the parsing thread or crashes the entire application.
The network-accessible nature of this vulnerability means any application that accepts JSON input from untrusted sources and parses it with Json-smart is at risk. This includes REST APIs, web services, message processors, and configuration parsers exposed to user input.
Root Cause
The root cause is the absence of recursion depth limiting in the JSON parsing logic. When the parser encounters nested structures, it recursively calls the same parsing method for each level without tracking or limiting the current depth. This design flaw allows unbounded stack growth proportional to the nesting depth of the input JSON.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker crafts a malicious JSON payload consisting of deeply nested arrays or objects—typically thousands of opening brackets followed by corresponding closing brackets. When this payload is sent to a vulnerable application endpoint that processes JSON using Json-smart, the parser's recursive descent triggers stack exhaustion.
The attack payload is trivial to construct: a string of repeating [ characters (e.g., 10,000 nested arrays) followed by matching ] characters. No special privileges or user interaction are required, making this a low-complexity attack with high impact on availability.
For detailed technical analysis and proof-of-concept information, refer to the JFrog Research Vulnerability Report.
Detection Methods for CVE-2023-1370
Indicators of Compromise
- Application crashes with java.lang.StackOverflowError in thread dumps showing Json-smart parsing methods in the stack trace
- Repeated service restarts or unavailability coinciding with incoming JSON requests
- Unusually large or malformed JSON payloads in application logs with excessive bracket characters
- Increased error rates in JSON parsing operations
Detection Strategies
- Monitor application logs for StackOverflowError exceptions, particularly those originating from Json-smart library classes such as net.minidev.json.parser
- Implement request payload size and complexity limits at the API gateway or reverse proxy layer
- Deploy runtime application self-protection (RASP) solutions that can detect and block deeply nested JSON structures
- Use SentinelOne Singularity to monitor for abnormal application crashes and resource exhaustion patterns
Monitoring Recommendations
- Configure alerting on JVM crashes and unexpected process terminations in production environments
- Implement application performance monitoring (APM) to detect parsing latency anomalies that may precede stack exhaustion
- Review web application firewall (WAF) logs for requests containing suspicious patterns of repeated bracket characters
- Enable verbose logging for JSON parsing operations during investigation periods
How to Mitigate CVE-2023-1370
Immediate Actions Required
- Inventory all applications using Json-smart and prioritize patching based on exposure to untrusted input
- Update Json-smart to the latest patched version that implements nesting depth limits
- Implement input validation at the application boundary to reject JSON payloads exceeding reasonable nesting depths
- Consider temporary deployment of WAF rules to block requests with excessive JSON nesting
Patch Information
Security patches are available for Json-smart that introduce maximum nesting depth limits to prevent stack exhaustion. Review the JFrog Research Vulnerability Report for version-specific remediation guidance. For NetApp products, consult the NetApp Security Advisory NTAP-20240621-0006 for applicable updates.
Workarounds
- Implement a custom input filter that counts nesting depth before passing JSON to the parser, rejecting payloads exceeding a threshold (e.g., 100 levels)
- Configure reverse proxies or API gateways to limit request body sizes and implement JSON structure validation
- Consider migrating to alternative JSON parsing libraries with built-in recursion depth protections
- Increase JVM stack size as a temporary measure (not recommended as a permanent solution as it only raises the attack threshold)
# Example: Configure API gateway to limit JSON nesting depth
# For nginx with lua module
# Add to location block processing JSON:
access_by_lua_block {
local cjson = require "cjson"
local body = ngx.req.get_body_data()
if body then
local depth = 0
local max_depth = 100
for c in body:gmatch(".") do
if c == "[" or c == "{" then
depth = depth + 1
if depth > max_depth then
ngx.exit(400)
end
elseif c == "]" or c == "}" then
depth = depth - 1
end
end
end
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
