CVE-2026-24802 Overview
CVE-2026-24802 is an Infinite Loop vulnerability in the briandilley jsonrpc4j library, specifically affecting the src/main/java/com/googlecode/jsonrpc4j modules. This vulnerability is associated with the program file NoCloseOutputStream.java and affects jsonrpc4j through version 1.6.0.
The vulnerability allows a remote attacker to trigger a loop with an unreachable exit condition, potentially causing resource exhaustion and denial of service conditions in applications that utilize this JSON-RPC library.
Critical Impact
Applications using jsonrpc4j through version 1.6.0 may be vulnerable to denial of service attacks through an infinite loop condition that can exhaust system resources and cause service unavailability.
Affected Products
- jsonrpc4j through version 1.6.0
- Applications using jsonrpc4j's NoCloseOutputStream.java module
- Java applications implementing JSON-RPC functionality via briandilley/jsonrpc4j
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24802 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2026-24802
Vulnerability Analysis
This vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), commonly known as an Infinite Loop vulnerability. The flaw exists in the NoCloseOutputStream.java file within the jsonrpc4j library's core modules.
The vulnerability can be exploited over the network without requiring authentication or special privileges. User interaction is required for successful exploitation. When triggered, the infinite loop condition causes the affected application to consume CPU resources indefinitely, leading to degraded performance or complete service unavailability.
The jsonrpc4j library is a popular Java implementation of the JSON-RPC protocol, used for remote procedure calls in distributed systems. This makes the vulnerability particularly concerning for web services and microservice architectures that rely on JSON-RPC communication.
Root Cause
The root cause of this vulnerability lies in improper loop termination logic within the NoCloseOutputStream.java implementation. The code contains a loop construct where the exit condition can become unreachable under certain input conditions, causing the program to enter an infinite execution state.
The NoCloseOutputStream class is typically used to wrap output streams in scenarios where the stream should not be closed by the JSON-RPC processing logic. A flaw in how this wrapper handles certain operations leads to the infinite loop condition.
Attack Vector
The attack vector for this vulnerability is network-based, requiring user interaction. An attacker can craft malicious JSON-RPC requests designed to trigger the vulnerable code path in NoCloseOutputStream.java. When the server processes these specially crafted requests, it enters an infinite loop state.
The exploitation scenario involves sending network requests to a service using jsonrpc4j that causes the NoCloseOutputStream wrapper to enter the problematic loop condition. This can be achieved by manipulating the structure or content of JSON-RPC payloads to trigger specific behaviors in the output stream handling.
For technical details on the vulnerable code path, refer to the GitHub Pull Request #333 which addresses this issue.
Detection Methods for CVE-2026-24802
Indicators of Compromise
- Unusually high CPU utilization by Java processes running jsonrpc4j-based applications
- Stalled or unresponsive JSON-RPC service endpoints
- Thread dumps showing threads stuck in NoCloseOutputStream methods
- Increasing response times followed by complete service unavailability
Detection Strategies
- Monitor for Java applications using jsonrpc4j versions 1.6.0 or earlier in your software inventory
- Implement application performance monitoring to detect abnormal CPU consumption patterns
- Set up health checks for JSON-RPC endpoints with appropriate timeout thresholds
- Review dependency manifests (Maven pom.xml, Gradle build.gradle) for vulnerable jsonrpc4j versions
Monitoring Recommendations
- Configure alerting for sustained high CPU usage in Java application servers
- Implement request timeout mechanisms at the load balancer or reverse proxy level
- Monitor thread pool exhaustion metrics in application servers
- Set up logging for JSON-RPC request processing times to identify anomalies
How to Mitigate CVE-2026-24802
Immediate Actions Required
- Identify all applications in your environment using jsonrpc4j version 1.6.0 or earlier
- Review the fix provided in GitHub Pull Request #333
- Plan an upgrade path to a patched version of jsonrpc4j once released
- Implement request timeouts at the application or infrastructure level as a defensive measure
Patch Information
A fix for this vulnerability has been proposed through GitHub Pull Request #333 in the briandilley/jsonrpc4j repository. Organizations should monitor this pull request for merge status and watch for a new release that incorporates the fix.
Until an official patched release is available, consider applying the patch manually from the pull request or implementing the workarounds described below.
Workarounds
- Implement request timeout mechanisms at the reverse proxy or API gateway level to prevent long-running requests from consuming resources indefinitely
- Configure thread pool limits and circuit breakers in your application to contain the impact of infinite loop conditions
- Apply rate limiting to JSON-RPC endpoints to reduce the potential for denial of service
- Consider temporarily restricting access to affected JSON-RPC services to trusted networks only
# Example: Configure nginx timeout for JSON-RPC endpoint
location /jsonrpc {
proxy_pass http://backend;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
