Stack overflow error caused by json-simple serialization Map
Description
json-simple before v1.1.1 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
Exception in thread "main" java.lang.StackOverflowError
at java.base/java.lang.StringBuffer.<init>(StringBuffer.java:131)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:89)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:119)
at org.json.simple.JSONObject.toJSONString(JSONObject.java:101)
at org.json.simple.JSONValue.toJSONString(JSONValue.java:202)
Stack overflow error caused by json-simple serialization Map
Description
json-simple before v1.1.1 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Error Log
PoC
Rectification Solution
Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027))
References