Login Sign Up

CVE-2021-31684

7.5 HIGH
Denial of Service

📋 TL;DR

A denial-of-service vulnerability exists in JSON Smart's indexOf function that allows attackers to crash applications via specially crafted JSON input. This affects applications using JSON Smart versions 1.3 or 2.4 for JSON parsing. The vulnerability can be triggered through web requests to affected applications.

💻 Affected Systems

Products:
  • JSON Smart
Versions: Versions 1.3 and 2.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vulnerable JSON Smart versions for JSON parsing is affected, regardless of configuration.

📦 What is this software?

Json Smart V1 by Json Smart Project

View all CVEs affecting Json Smart V1 →

Json Smart V2 by Json Smart Project

View all CVEs affecting Json Smart V2 →

Utilities Framework by Oracle

View all CVEs affecting Utilities Framework →

Utilities Framework by Oracle

View all CVEs affecting Utilities Framework →

Utilities Framework by Oracle

View all CVEs affecting Utilities Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to sustained denial of service, potentially affecting multiple services if the vulnerable component is shared.

🟠

Likely Case

Application instability or crashes when processing malicious JSON payloads, resulting in temporary service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place before JSON parsing occurs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted JSON payloads to vulnerable endpoints. Public proof-of-concept exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: JSON Smart 2.4.2 or later

Vendor Advisory: https://github.com/netplex/json-smart-v2/issues/67

Restart Required: Yes

Instructions:

1. Update JSON Smart dependency to version 2.4.2 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject malformed JSON before it reaches the vulnerable parser

Rate Limiting

all

Implement rate limiting on JSON parsing endpoints to reduce DoS impact

🧯 If You Can't Patch

  • Implement WAF rules to block suspicious JSON payload patterns
  • Isolate vulnerable services behind reverse proxies with request filtering

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for JSON Smart version 1.3 or 2.4

Check Version:

Check build configuration files (pom.xml, build.gradle, package.json) for JSON Smart version

Verify Fix Applied:

Verify JSON Smart version is 2.4.2 or later in dependencies

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or abnormal termination when processing JSON
  • High CPU/memory usage spikes during JSON parsing

Network Indicators:

  • Unusually large or malformed JSON payloads to application endpoints
  • Repeated JSON requests causing service degradation

SIEM Query:

source="application_logs" AND ("JSON parsing error" OR "OutOfMemoryError" OR "StackOverflowError")

📊 Metadata

CVE ID: CVE-2021-31684
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: June 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31684, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)