CVE-2023-1370 HIGH

CVE-2023-1370: Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON

Vendor Json-Smart
Product json-smart
Weakness CWE-674
Published March 13, 2023
Last update February 27, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Key dates

02Disclosure timeline

March 13, 2023 CVE published
February 27, 2025 Record updated