Login Sign Up

CVE-2023-34609

7.5 HIGH
Denial of Service Deserialization

📋 TL;DR

This vulnerability in flexjson allows attackers to cause denial of service or potentially other impacts by sending crafted objects with cyclic dependencies. It affects all applications using vulnerable versions of the flexjson library for JSON processing. The issue stems from improper handling of object graphs during serialization/deserialization.

💻 Affected Systems

Products:
  • flexjson
Versions: All versions through 3.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using flexjson for JSON serialization/deserialization is vulnerable when processing untrusted input.

📦 What is this software?

Flexjson by Flexjson Project

View all CVEs affecting Flexjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potential memory exhaustion, or in rare cases remote code execution if combined with other vulnerabilities.

🟠

Likely Case

Application instability, increased resource consumption, and denial of service affecting JSON processing functionality.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in bug reports showing cyclic dependency creation. Exploitation requires sending crafted JSON payloads to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.3

Vendor Advisory: https://sourceforge.net/p/flexjson/bugs/

Restart Required: Yes

Instructions:

1. Upgrade flexjson to version after 3.3. 2. Update application dependencies. 3. Restart affected services. 4. Test JSON processing functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject JSON payloads with cyclic dependencies before processing.

Resource limiting

all

Configure application servers to limit request size and processing time for JSON endpoints.

🧯 If You Can't Patch

  • Implement WAF rules to detect and block JSON payloads with cyclic object patterns
  • Isolate vulnerable services behind reverse proxies with request inspection capabilities

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for flexjson version 3.3 or earlier. Review if application processes JSON from untrusted sources.

Check Version:

Check build configuration files (pom.xml, build.gradle, package.json) for flexjson dependency version.

Verify Fix Applied:

Verify flexjson version is after 3.3. Test with known cyclic dependency payloads to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

  • Stack overflow errors
  • Out of memory errors
  • Unusually large JSON processing times
  • Application crashes during JSON parsing

Network Indicators:

  • Large JSON payloads with repeated object references
  • Multiple rapid requests to JSON endpoints

SIEM Query:

source="application_logs" AND ("StackOverflowError" OR "OutOfMemoryError" OR "JSON processing timeout")

📊 Metadata

CVE ID: CVE-2023-34609
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: June 14, 2023
Last Updated: January 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34609, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)