Netplex Json-smart Stack Exhaustion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Netplex Json-smart versions 2.5.0 prior to 2.5.1. The issue arises when the library processes specially crafted JSON input containing a large number of opening braces. This input can trigger stack exhaustion, causing a stack overflow and crashing the application. The vulnerability is due to an uncontrolled recursion in the JSON parsing, which lacks limits on the nesting of arrays and objects. This flaw allows attackers to craft JSON that, when parsed, leads to a stack overflow and application crash.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a crash of the application that is parsing the malformed JSON.

Reproduction

To reproduce this vulnerability, load a JSON file or input that contains a high number of nested objects, specifically using the '{' character. The Json-smart library will recursively parse these objects without any depth limit, causing stack exhaustion and crashing the application.