mjson Denial-of-Service Vulnerability in Version 1.2.7

A denial-of-service vulnerability has been identified in the mjson JSON parsing library, specifically in version 1.2.7. The issue arises in the 'mystrtod' function, where certain digit strings trigger an excessive number of iterations—over a billion—during processing. This flaw causes significant delays, with parsing times exceeding 10 seconds, in contrast to other JSON parsers that handle the same input quickly. The vulnerability is particularly concerning because mjson is intended for use in resource-constrained embedded devices, such as those found in critical industrial control systems, where such delays could have severe consequences.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive delays in JSON parsing that could disrupt time-sensitive operations, especially in embedded systems used for industrial control.

Reproduction

The vulnerability can be reproduced by compiling a C program that includes the mjson library and tests the 'mystrtod' function with a specific digit string. The compiled program will demonstrate the prolonged parsing time, confirming the denial-of-service condition.