CVE-2023-34611 – This vulnerability in mjson library versions th... (How to Fix)

Q: What is the severity of CVE-2023-34611?

CVE-2023-34611 has a CVSS score of 7.5 (HIGH). This vulnerability in mjson library versions through 1.4.1 allows attackers to cause denial of service or potentially other impacts by sending crafted JSON objects containing cyclic dependencies. Any application using vulnerable mjson versions for JSON parsing is affected.

📋 TL;DR

This vulnerability in mjson library versions through 1.4.1 allows attackers to cause denial of service or potentially other impacts by sending crafted JSON objects containing cyclic dependencies. Any application using vulnerable mjson versions for JSON parsing is affected.

💻 Affected Systems

Products:

mjson

Versions: through 1.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using mjson for JSON parsing is vulnerable by default when processing untrusted input.

📦 What is this software?

Mjson by Mjson Project

View all CVEs affecting Mjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to infinite recursion or memory exhaustion, potentially leading to remote code execution if memory corruption occurs.

🟠

Likely Case

Denial of service causing application crashes or high resource consumption when processing malicious JSON input.

🟢

If Mitigated

Limited impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub issue. Exploitation requires sending malicious JSON to vulnerable parser.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2 or later

Vendor Advisory: https://github.com/bolerio/mjson/issues/40

Restart Required: Yes

Instructions:

1. Update mjson to version 1.4.2 or later. 2. Restart affected applications. 3. Test JSON parsing functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject JSON with cyclic dependencies before parsing.

Resource limiting

all

Configure memory and recursion limits for JSON parsing operations.

🧯 If You Can't Patch

Implement WAF rules to block JSON payloads with cyclic dependency patterns
Isolate vulnerable systems behind reverse proxies with request filtering

🔍 How to Verify

Check if Vulnerable:

Check if application uses mjson version <=1.4.1 via dependency manifest or package manager.

Check Version:

Check package.json, requirements.txt, or equivalent for mjson version

Verify Fix Applied:

Verify mjson version is >=1.4.2 and test with known malicious JSON payloads.

📡 Detection & Monitoring

Log Indicators:

Application crashes during JSON parsing
High memory usage spikes
Stack overflow errors

Network Indicators:

Incoming JSON payloads with circular references
Repeated JSON parsing requests

SIEM Query:

search 'mjson' AND ('crash' OR 'memory' OR 'recursion')

📊 Metadata

CVE ID: CVE-2023-34611

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: June 14, 2023

Last Updated: January 6, 2025

🔗 References

https://github.com/bolerio/mjson/issues/40 Exploit,Issue Tracking,Third Party Advisory
https://github.com/bolerio/mjson/issues/40 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34611, you might also want to check these: