MaJerle lwjson Streaming JSON Parser Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in lwjson version 1.8.1, specifically within the streaming JSON parser component. The issue arises from improper input validation in the end-of-string detection logic, which fails to correctly interpret escaped quote characters. This flaw allows valid JSON strings that end with an escaped backslash to be mismanaged, causing applications that utilize the lwjson_stream_parse() function to hang indefinitely. As a result, this vulnerability can be exploited by remote attackers who send well-formed JSON payloads that trigger this parsing error, leading to a persistent application freeze.

Impact

Exploitation of this vulnerability causes applications to hang indefinitely, disrupting normal operation and potentially leading to resource exhaustion.

Reproduction

To reproduce this vulnerability, send a JSON string that includes an escaped backslash at the end, such as one containing an escaped quote followed by a backslash. The streaming parser will incorrectly process the escaped characters, failing to recognize the end of the string and causing the application to hang. This can be done using any tool or script that can send JSON payloads, such as a custom application or a command-line tool like curl, by including the malformed JSON in the request.

Remediation

Users can update to lwjson version 1.8.2 or later, where this vulnerability has been fixed.