CVE-2023-7272 Overview
CVE-2023-7272 is a stack overflow vulnerability in Eclipse Parsson, a JSON processing library for Java applications. The vulnerability allows an attacker to cause a denial of service condition by submitting a specially crafted JSON document with an excessive depth of nested objects. When the Parsson library attempts to parse, generate, transform, or query such a malformed document, it triggers a Java stack overflow exception, causing the application to crash.
Critical Impact
Remote attackers can cause denial of service in Java applications using vulnerable versions of Eclipse Parsson by submitting deeply nested JSON documents, potentially disrupting business-critical services that rely on JSON processing.
Affected Products
- Eclipse Parsson versions before 1.0.4
- Eclipse Parsson versions before 1.1.3
Discovery Timeline
- 2024-07-17 - CVE CVE-2023-7272 published to NVD
- 2025-02-06 - Last updated in NVD database
Technical Details for CVE-2023-7272
Vulnerability Analysis
This vulnerability stems from improper handling of recursive JSON parsing operations in Eclipse Parsson. The library processes JSON documents using recursive function calls to handle nested objects and arrays. When an attacker provides a JSON document with an extremely deep nesting structure, the recursive parsing causes the Java Virtual Machine's call stack to exceed its allocated memory, resulting in a StackOverflowError exception.
The vulnerability is classified under CWE-787 (Out-of-bounds Write), though in this context it manifests as uncontrolled recursion leading to stack exhaustion. The attack can be executed remotely over the network without requiring authentication or user interaction, making it particularly dangerous for publicly accessible services that accept JSON input.
Root Cause
The root cause is the absence of depth validation during JSON document parsing. Eclipse Parsson's recursive descent parser does not enforce a maximum nesting depth limit, allowing malicious input to consume unbounded stack space. Each nested object or array in the JSON document adds a new stack frame, and without proper bounds checking, an attacker can craft a document that exceeds the JVM's stack allocation.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by sending a crafted HTTP request containing a JSON payload with deeply nested structures to any endpoint that uses Eclipse Parsson for JSON processing. The vulnerability affects any operation that processes JSON documents, including:
- Parsing JSON from HTTP request bodies
- Processing JSON from message queues
- Transforming or querying JSON configuration files
- Any API endpoint accepting JSON input
A malicious payload would consist of thousands of nested opening braces creating an extremely deep object structure, followed by corresponding closing braces. When the vulnerable Parsson library attempts to parse this document, the recursive descent through the nested structure exhausts the JVM stack.
Detection Methods for CVE-2023-7272
Indicators of Compromise
- Unexpected java.lang.StackOverflowError exceptions in application logs
- Application crashes or service restarts coinciding with JSON processing operations
- Incoming HTTP requests with unusually large JSON payloads containing excessive nesting
- Memory monitoring alerts showing abnormal stack usage patterns
Detection Strategies
- Implement application logging to capture StackOverflowError exceptions and correlate with incoming requests
- Configure web application firewalls to inspect JSON payloads for excessive nesting depth
- Monitor JVM metrics for abnormal stack memory consumption patterns
- Deploy intrusion detection rules to flag requests with JSON bodies exceeding reasonable nesting thresholds
Monitoring Recommendations
- Enable detailed exception logging for JSON parsing operations in applications using Parsson
- Set up alerting for repeated application crashes or container restarts
- Monitor API endpoints that accept JSON input for unusual payload characteristics
- Track dependency versions across your Java applications to identify vulnerable Parsson instances
How to Mitigate CVE-2023-7272
Immediate Actions Required
- Upgrade Eclipse Parsson to version 1.0.4 or later for the 1.0.x branch
- Upgrade Eclipse Parsson to version 1.1.3 or later for the 1.1.x branch
- Audit all Java applications to identify usage of vulnerable Parsson versions
- Implement input validation to limit JSON nesting depth at the application layer
Patch Information
Eclipse has released patched versions that address this vulnerability. The fix introduces proper depth validation during JSON parsing operations to prevent stack exhaustion from deeply nested documents. Users should upgrade to Eclipse Parsson 1.0.4 or 1.1.3 (or later versions) depending on their current branch. For detailed information about the fix, refer to the Eclipse GitLab Vulnerability Report.
Workarounds
- Implement a pre-processing filter to validate JSON nesting depth before passing to Parsson
- Configure web application firewalls to reject JSON payloads with excessive nesting
- Increase JVM stack size as a temporary measure (not recommended as a permanent solution)
- Implement rate limiting on endpoints that accept JSON input to reduce attack surface
# Example: Check current Parsson version in Maven projects
mvn dependency:tree | grep parsson
# Update pom.xml to use patched version
# For 1.0.x branch: <version>1.0.4</version>
# For 1.1.x branch: <version>1.1.3</version>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
