CVE-2024-47855 Overview
CVE-2024-47855 is a vulnerability in the util/JSONTokener.java component of JSON-lib, a Java library for JSON processing. Versions prior to 3.1.0 mishandle unbalanced comment strings during JSON parsing, which can lead to denial of service conditions. This input validation flaw allows attackers to craft malicious JSON input that causes unexpected behavior in the tokenizer.
Critical Impact
Applications using vulnerable versions of JSON-lib may be susceptible to denial of service attacks through specially crafted JSON input containing unbalanced comment strings.
Affected Products
- JSON-lib versions prior to 3.1.0
- Applications using kordamp/json-lib before version 3.1.0
- Java applications with vulnerable JSON-lib dependencies
Discovery Timeline
- 2024-10-04 - CVE-2024-47855 published to NVD
- 2024-11-07 - Last updated in NVD database
Technical Details for CVE-2024-47855
Vulnerability Analysis
The vulnerability exists in the JSONTokener.java file within the JSON-lib library. The tokenizer component is responsible for parsing JSON input and breaking it down into tokens for further processing. When the tokenizer encounters comment strings (commonly used in JSON5 or relaxed JSON parsing modes), it fails to properly validate that comment delimiters are balanced.
An unbalanced comment string occurs when a comment opening sequence (such as /*) is present without a corresponding closing sequence (*/). The improper handling of this condition can cause the parser to enter an unexpected state, potentially leading to resource exhaustion or application crashes.
Root Cause
The root cause of this vulnerability is improper input validation in the comment parsing logic of JSONTokener.java. The tokenizer does not adequately verify that comment delimiters are properly balanced before processing the input. This oversight allows malformed input to bypass normal parsing boundaries and trigger unexpected behavior.
The fix implemented in version 3.1.0 adds proper validation checks to ensure that comment strings are correctly balanced before the tokenizer proceeds with parsing operations.
Attack Vector
This vulnerability is exploitable over the network, as attackers can submit malicious JSON payloads to any application that uses the vulnerable JSON-lib library for parsing user-supplied JSON data. The attack requires no authentication or user interaction, making it straightforward to exploit.
An attacker would craft a JSON payload containing unbalanced comment strings and submit it to a target application. When the application attempts to parse this malformed input using the vulnerable JSONTokener, the improper handling can lead to denial of service conditions.
The vulnerability affects availability but does not directly impact confidentiality or integrity of data. However, in production environments, denial of service can have significant operational impact.
Detection Methods for CVE-2024-47855
Indicators of Compromise
- Unusual JSON parsing errors or exceptions in application logs
- Application crashes or unresponsive states during JSON processing operations
- Increased memory consumption in Java processes handling JSON data
- Error messages referencing JSONTokener or comment parsing failures
Detection Strategies
- Monitor application logs for JSON parsing exceptions and unusual error patterns
- Implement dependency scanning to identify vulnerable JSON-lib versions (prior to 3.1.0)
- Use Software Composition Analysis (SCA) tools to track JSON-lib usage across applications
- Review incoming JSON payloads for malformed comment structures
Monitoring Recommendations
- Enable detailed logging for JSON parsing operations in production environments
- Set up alerts for abnormal error rates in JSON processing components
- Monitor resource utilization (CPU, memory) for applications that process external JSON input
- Implement rate limiting for endpoints that accept JSON payloads
How to Mitigate CVE-2024-47855
Immediate Actions Required
- Upgrade JSON-lib to version 3.1.0 or later immediately
- Audit all applications using JSON-lib to identify vulnerable instances
- Implement input validation to reject malformed JSON before parsing
- Consider implementing rate limiting on JSON processing endpoints as a temporary measure
Patch Information
The vulnerability has been addressed in JSON-lib version 3.1.0. The security fix is available in the GitHub commit a0c4a0eae277130e22979cf307c95dec4005a78e. Organizations should upgrade to version 3.1.0 or later to remediate this vulnerability. The version comparison between 3.0.3 and 3.1.0 provides details on all changes included in the security release.
Workarounds
- Implement pre-parsing validation to detect and reject JSON input containing unbalanced comment sequences
- Use alternative JSON parsing libraries that do not have this vulnerability until upgrade is possible
- Deploy web application firewalls (WAF) with rules to filter malformed JSON payloads
- Restrict access to JSON processing endpoints to trusted sources where feasible
# Maven dependency update example
# Update pom.xml to use the patched version:
# <dependency>
# <groupId>org.kordamp.json</groupId>
# <artifactId>json-lib-core</artifactId>
# <version>3.1.0</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
