CVE-2023-5072 Overview
CVE-2023-5072 is a Denial of Service vulnerability affecting JSON-Java (org.json) versions up to and including 20230618. A bug in the JSON parser means that an input string of modest size can lead to indefinite amounts of memory being used, potentially causing application crashes or system unavailability. This vulnerability falls under CWE-770 (Allocation of Resources Without Limits or Throttling), highlighting improper resource management in the parsing logic.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to cause memory exhaustion and denial of service conditions in applications using vulnerable versions of the JSON-Java library.
Affected Products
- stleary json-java versions up to and including 20230618
- Applications and services using the vulnerable JSON-Java library as a dependency
- Enterprise systems incorporating JSON-Java for JSON parsing operations
Discovery Timeline
- 2023-10-12 - CVE-2023-5072 published to NVD
- 2025-09-19 - Last updated in NVD database
Technical Details for CVE-2023-5072
Vulnerability Analysis
The vulnerability exists in the JSON-Java parser's handling of certain input strings. When processing specially crafted JSON input, the parser fails to properly limit memory allocation, allowing relatively small input strings to trigger disproportionately large memory consumption. This resource exhaustion vulnerability can be exploited remotely over the network without requiring any authentication or user interaction.
The flaw represents an algorithmic complexity attack where the parser's behavior becomes pathological when encountering specific input patterns. Rather than linear or predictable memory growth, the parser allocates memory in an uncontrolled manner, quickly exhausting available heap space.
Root Cause
The root cause is improper resource allocation handling in the JSON parsing logic. The parser lacks adequate bounds checking and memory allocation limits when processing certain input structures. This falls under CWE-770 (Allocation of Resources Without Limits or Throttling), where the application allocates resources without imposing reasonable constraints on the size or number of resources allocated.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can send a maliciously crafted JSON payload to any endpoint that uses the vulnerable JSON-Java library for parsing. The modest-sized input triggers the parser bug, causing excessive memory allocation that can lead to:
- Application heap exhaustion and OutOfMemoryError exceptions
- Service degradation or complete unavailability
- Cascading failures in dependent services
- Potential system-wide resource exhaustion in containerized environments
The vulnerability is particularly dangerous because the attack payload can be relatively small while causing disproportionate memory consumption, making it difficult to detect through simple size-based filtering.
Detection Methods for CVE-2023-5072
Indicators of Compromise
- Sudden memory consumption spikes in applications using JSON-Java for parsing operations
- OutOfMemoryError exceptions in application logs correlating with JSON parsing activities
- Unusual garbage collection activity or prolonged GC pauses in JVM-based applications
- Service unavailability or degraded response times following receipt of JSON payloads
Detection Strategies
- Implement Software Composition Analysis (SCA) to identify applications using vulnerable JSON-Java versions
- Monitor JVM heap usage and memory allocation patterns for anomalies during JSON processing
- Deploy application performance monitoring (APM) to track memory consumption spikes
- Review dependency manifests (pom.xml, build.gradle) for json-java versions at or below 20230618
Monitoring Recommendations
- Configure alerting for rapid memory growth exceeding baseline thresholds in JSON-processing services
- Implement request logging with payload size tracking to correlate with memory anomalies
- Enable JVM memory monitoring with alerts for heap usage approaching configured limits
- Monitor application health endpoints for availability degradation patterns
How to Mitigate CVE-2023-5072
Immediate Actions Required
- Upgrade JSON-Java library to a version newer than 20230618 that contains the fix
- Conduct a dependency audit to identify all applications using vulnerable JSON-Java versions
- Implement input size limits at the application or API gateway level as a defense-in-depth measure
- Review and update transitive dependencies that may include vulnerable JSON-Java versions
Patch Information
The vulnerability affects JSON-Java versions up to and including 20230618. Organizations should upgrade to a patched version of the library. Additional details are available in the GitHub JSON-java Issue #758 and GitHub JSON-java Issue #771. NetApp has also published guidance in their Security Advisory NTAP-20240621-0007.
Workarounds
- Implement strict input size validation before passing data to the JSON parser
- Deploy rate limiting on endpoints that accept JSON input to reduce attack surface
- Configure JVM memory limits and container resource constraints to contain blast radius
- Consider using alternative JSON parsing libraries as a temporary measure while planning upgrades
# Configuration example - Maven dependency update
# Update pom.xml to use patched version
# Replace version 20230618 or earlier with latest patched version
# Example: <version>20231013</version> or later
# Verify current JSON-java version in your project
mvn dependency:tree | grep json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
