CVE-2024-57699: Stack Exhaustion Vulnerability in Netplex Json-smart 2.5. – 2.5.1 Causing Denial of Service (DoS)

A security vulnerability (CVE-2024-57699) has been identified in the open-source library Netplex Json-smart 2.5. through 2.5.1. Upon loading a JSON input containing an exceptionally large number of '{', the library can trigger a critical stack exhaustion, allowing an attacker to cause a Denial of Service (DoS) attack. This vulnerability is particularly concerning because it stems from an incomplete fix for a previously reported vulnerability, CVE-2023-137.

Background:
Netplex Json-smart is a highly efficient JSON parser and generator for Java. Due to its outstanding performance, it has become widely adopted among developers of Java applications. However, recent security issues in this library have highlighted the importance of keeping it up-to-date.

Previous CVE-2023-137 Vulnerability

In 2023, a vulnerability identified as CVE-2023-137 was reported in the Netplex Json-smart library. This vulnerability was caused by a stack buffer overflow due to the handling of a large number of closing brackets '}'. The vulnerability was partially addressed, but a complete fix was not implemented. This oversight has led to the discovery of the current CVE-2024-57699 vulnerability.

Exploit Details

An attacker can exploit this vulnerability by crafting a JSON input containing an excessive number of opening brackets '{'. When this input is passed to the affected Json-smart library, a stack exhaustion occurs, leading to a Denial of Service (DoS) attack.

For example, consider the following code snippet using Json-smart

import net.minidev.json.parser.JSONParser;
// ...
String jsonInput = // some large JSON containing excessive opening brackets
JSONParser jsonParser = new JSONParser();
Object parsedObject = jsonParser.parse(jsonInput);

If the jsonInput contains a large number of '{', a stack exhaustion can get triggered, ultimately leading to a Denial of Service (DoS) attack.

Mitigations and Fixes

To mitigate and fix this vulnerability, users of the Json-smart library are urged to upgrade their installations to the latest version (2.5.2 or later), which addresses this issue. Users may also want to consider implementing input validation on JSON inputs passed to the library to limit the number of '{' characters and filter out malicious JSON inputs.

Original References

- CVE-2024-57699 – National Vulnerability Database
- CVE-2023-137 - [National Vulnerability Database] (https://nvd.nist.gov/vuln/detail/CVE-2023-137)
- Netplex Json-smart - [GitHub Repository] (https://github.com/netplex/json-smart)

Conclusion

The CVE-2024-57699 vulnerability poses a risk to applications using older versions of the Netplex Json-smart library. Upgrading to the latest version and performing input validation to avoid malicious JSON inputs with excessive opening brackets should significantly reduce the risk of being impacted by this vulnerability. Stay vigilant, and keep your libraries up-to-date to minimize the risk posed by security vulnerabilities.

Timeline

Published on: 02/05/2025 22:15:33 UTC
Last modified on: 02/06/2025 16:15:41 UTC