A recent discovery by ClusterFuzz has unveiled a critical vulnerability, CVE-2023-5072, within JSON-Java versions up to and including 20230618. This flaw, identified as a denial of service (DoS) threat, arises from a parser bug that triggers excessive memory usage when processing even moderately sized input strings.
The vulnerability is in the JSON-Java parser, where an input string of moderate size can result in an indefinite spike in memory consumption.
There are two primary issues: firstly, an exploit allows bypassing a check designed to prevent a JSON object's key from becoming another JSON object. Secondly, if such an event occurs, the key converts into a string using escape characters like \, leading to an escalating number of \ characters within the escaped string through nested JSON objects.
Rated as high severity, this DoS vulnerability has been addressed. However, the remaining risk pertains to existing binaries that haven't undergone updates.
The vulnerability has been rectified through this PR.
Further information and a code example is available at this advisory.
