CVE-2024-57699 Overview
A stack exhaustion vulnerability has been identified in Netplex Json-smart versions 2.5.0 through 2.5.1. When the library processes specially crafted JSON input containing a large number of opening curly braces ({), it can trigger stack exhaustion, allowing an attacker to cause a Denial of Service (DoS) condition. This vulnerability exists because of an incomplete fix for CVE-2023-1370, indicating that the original patch did not fully address the underlying recursive parsing issue.
Critical Impact
Remote attackers can exploit this vulnerability to crash applications using vulnerable Json-smart versions by sending malicious JSON payloads, potentially causing service disruption without requiring authentication.
Affected Products
- Netplex Json-smart 2.5.0
- Netplex Json-smart 2.5.1
- Applications and services using affected Json-smart library versions as a dependency
Discovery Timeline
- 2025-02-05 - CVE-2024-57699 published to NVD
- 2025-02-06 - Last updated in NVD database
Technical Details for CVE-2024-57699
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), which describes a condition where the software does not properly limit the depth or number of recursive calls. The Json-smart library, widely used for JSON parsing in Java applications, fails to properly handle deeply nested JSON structures.
When the parser encounters JSON input with excessive nesting through opening curly braces, each nested level triggers a recursive call on the call stack. Without proper depth limits, an attacker can craft a payload with sufficient nesting to exhaust the available stack space, resulting in a StackOverflowError that crashes the application.
This vulnerability is particularly concerning because it represents an incomplete fix for the previously addressed CVE-2023-1370, suggesting that edge cases or specific parsing paths were not fully remediated in earlier patches. The network-accessible attack vector and lack of authentication requirements make this vulnerability easily exploitable in any application that processes untrusted JSON input.
Root Cause
The root cause lies in the recursive nature of the JSON parsing algorithm within Json-smart. When processing nested JSON objects, the parser recursively descends into each nested level without implementing adequate bounds checking on the recursion depth. The incomplete fix for CVE-2023-1370 left certain code paths vulnerable to this stack exhaustion attack, allowing malicious input to bypass the previously implemented protections.
Attack Vector
The vulnerability can be exploited remotely over the network by any unauthenticated attacker who can send JSON data to an application using the vulnerable library. The attack requires no user interaction and can be executed with low complexity.
An attacker crafts a JSON payload containing thousands of consecutive opening curly braces (e.g., {{{{{{{{...), which forces the parser into deep recursion. When the application attempts to parse this malicious input, the call stack rapidly fills with recursive method invocations until stack memory is exhausted. The resulting StackOverflowError terminates the parsing thread and potentially crashes the entire application.
A proof-of-concept repository is available at the GitHub PoC Repository demonstrating this attack technique. For additional context on the original vulnerability, refer to the NIST CVE-2023-1370 detail page.
Detection Methods for CVE-2024-57699
Indicators of Compromise
- Unexpected StackOverflowError exceptions in application logs during JSON parsing operations
- Service crashes or restarts correlated with incoming JSON requests containing abnormally large payloads
- High volume of requests containing repetitive patterns of opening curly braces in JSON payloads
- Application performance degradation followed by sudden termination
Detection Strategies
- Implement log monitoring for StackOverflowError exceptions specifically in JSON parsing components
- Deploy Web Application Firewall (WAF) rules to detect and block JSON payloads with excessive nesting depth
- Use software composition analysis (SCA) tools to identify applications using Json-smart versions 2.5.0 or 2.5.1
- Monitor for abnormal request patterns containing repetitive characters in JSON inputs
Monitoring Recommendations
- Enable detailed exception logging for JSON parsing operations to capture stack traces
- Implement alerting on application crashes that correlate with incoming HTTP requests containing JSON content
- Monitor thread dump analysis for excessive recursion in Json-smart parsing methods
- Track dependency versions across your software inventory to identify vulnerable applications
How to Mitigate CVE-2024-57699
Immediate Actions Required
- Audit all applications for usage of Netplex Json-smart versions 2.5.0 and 2.5.1
- Upgrade Json-smart library to a patched version when available from the vendor
- Implement input validation to reject JSON payloads exceeding reasonable nesting depth limits
- Consider temporarily switching to an alternative JSON parsing library if patches are not immediately available
Patch Information
Organizations should monitor the Netplex Json-smart project for official security patches addressing this vulnerability. As this is an incomplete fix for CVE-2023-1370, ensure that any applied patches specifically address the stack exhaustion issue in recursive parsing. Check the official project repository and release notes for security advisories.
Workarounds
- Implement a pre-processing filter that validates JSON nesting depth before passing to Json-smart
- Configure input size limits at the application or network layer to restrict maximum JSON payload size
- Deploy a reverse proxy with JSON inspection capabilities to reject malformed or excessively nested JSON
- Increase thread stack size as a temporary measure (note: this only raises the threshold, does not eliminate the vulnerability)
- Consider using a streaming JSON parser that does not rely on deep recursion for nested structures
# Example: Configuring JVM stack size as a temporary mitigation
# Note: This only delays stack exhaustion, does not fix the vulnerability
java -Xss2m -jar your-application.jar
# Example: Add input validation middleware to check JSON depth
# Implement depth checking before passing to Json-smart parser
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
