CVE-2023-51074: Jayway JsonPath Buffer Overflow Flaw

CVE-2023-51074 Overview

CVE-2023-51074 is a stack overflow vulnerability discovered in json-path v2.8.0. The vulnerability exists in the Criteria.parse() method, which can be exploited to cause a denial of service condition through excessive stack consumption. JsonPath is a widely used Java library for reading JSON documents, making this vulnerability potentially impactful for applications that process untrusted JSON path expressions.

Critical Impact

Applications using the affected version of json-path may be vulnerable to denial of service attacks when processing maliciously crafted input through the Criteria.parse() method.

Affected Products

• json-path Jayway JsonPath v2.8.0
• Applications using the vulnerable Criteria.parse() method
• Java applications processing untrusted JSON path expressions

Discovery Timeline

• 2023-12-27 - CVE-2023-51074 published to NVD
• 2025-09-12 - Last updated in NVD database

Technical Details for CVE-2023-51074

Vulnerability Analysis

This vulnerability is classified as a stack overflow, a type of memory corruption vulnerability that occurs when a program writes more data to a buffer on the stack than it was allocated for, or in this case, when recursive operations consume stack space beyond available limits. The Criteria.parse() method in json-path v2.8.0 can be triggered to enter deep recursion when processing specially crafted input, eventually exhausting the call stack and causing the application to crash.

The attack can be executed over the network without requiring authentication or user interaction, making it accessible to remote attackers. However, the impact is limited to availability—there is no evidence that this vulnerability can lead to data exfiltration or code execution.

Root Cause

The root cause of this vulnerability lies in the Criteria.parse() method's handling of input data. The method does not implement adequate depth limits or recursion safeguards, allowing an attacker to provide input that triggers excessive recursive calls. This leads to stack exhaustion and ultimately a denial of service condition when the JVM's stack limit is exceeded.

Attack Vector

The attack vector is network-based, requiring an attacker to send malicious input to an application that uses the vulnerable json-path library. The attack requires no privileges or user interaction, making it relatively straightforward to exploit if an application exposes functionality that processes JSON path expressions from untrusted sources.

The vulnerability manifests when specially crafted input is passed to the Criteria.parse() method, triggering deep recursion that exhausts the call stack. For detailed technical analysis and discussion of the vulnerability mechanism, refer to the GitHub Issue Tracker Discussion.

Detection Methods for CVE-2023-51074

Indicators of Compromise

• Unusual application crashes with StackOverflowError exceptions in Java logs
• Repeated crashes or service restarts associated with JSON path processing operations
• Malformed or excessively nested input patterns in application request logs

Detection Strategies

• Monitor application logs for java.lang.StackOverflowError exceptions originating from json-path library classes
• Implement input validation to detect and reject abnormally complex JSON path expressions before they reach the parser
• Use application performance monitoring to detect unusual CPU or memory patterns associated with parsing operations

Monitoring Recommendations

• Enable detailed logging for applications using json-path to capture stack traces during failures
• Set up alerts for repeated StackOverflowError exceptions in production environments
• Monitor service availability metrics for applications that process JSON path expressions from external sources

How to Mitigate CVE-2023-51074

Immediate Actions Required

• Inventory all applications using json-path library and identify those running version 2.8.0
• Implement input validation to limit the complexity of JSON path expressions accepted from untrusted sources
• Consider applying application-level rate limiting to reduce the impact of potential denial of service attacks
• Review and upgrade to a patched version of json-path when available

Patch Information

Users are advised to monitor the json-path GitHub repository for updates regarding fixes for this vulnerability. Check for newer releases that address the stack overflow issue in the Criteria.parse() method and upgrade to a patched version as soon as one becomes available.

Workarounds

• Implement input validation to reject JSON path expressions that exceed reasonable complexity thresholds
• Add timeout mechanisms around JSON path parsing operations to prevent long-running recursive calls
• Consider increasing the JVM stack size as a temporary measure to raise the threshold for exploitation, though this does not eliminate the vulnerability
• Isolate json-path processing in sandboxed environments where denial of service has limited impact on overall system availability

For applications that must continue using the affected version, implement application-level safeguards to validate and sanitize input before it reaches the vulnerable Criteria.parse() method. Monitor the upstream project for official patches and prioritize upgrading when a fix is released.