Login Sign Up

CVE-2023-35110

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-35110 is a vulnerability in jjson library versions through 0.1.7 where attackers can cause denial of service or other impacts by sending JSON objects with cyclic dependencies. This affects any application using vulnerable jjson versions for JSON parsing. The cyclic references cause infinite recursion during parsing, consuming system resources.

💻 Affected Systems

Products:
  • jjson library
Versions: All versions through 0.1.7
Operating Systems: All platforms where jjson is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using jjson for JSON parsing without input validation is vulnerable. The vulnerability is in the parsing logic itself.

📦 What is this software?

Jjson by Jjson Project

View all CVEs affecting Jjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through resource exhaustion (CPU/memory), potentially leading to application crashes and service unavailability.

🟠

Likely Case

Application instability, increased resource consumption, and degraded performance when processing malicious JSON payloads.

🟢

If Mitigated

Minimal impact with proper input validation, resource limits, and updated library versions.

🌐 Internet-Facing: HIGH - Any internet-facing service using jjson for JSON parsing is vulnerable to DoS attacks via crafted requests.
🏢 Internal Only: MEDIUM - Internal services could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The exploit requires sending a specially crafted JSON object with cyclic references. No authentication is needed if the service accepts JSON input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.1.8 or later

Vendor Advisory: https://github.com/grobmeier/jjson/issues/2

Restart Required: Yes

Instructions:

1. Update jjson dependency to version 0.1.8 or later. 2. Update package.json or build configuration. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement JSON schema validation or input sanitization to reject objects with cyclic dependencies

Resource limiting

all

Configure application to limit recursion depth and resource usage during JSON parsing

🧯 If You Can't Patch

  • Implement WAF rules to detect and block JSON objects with cyclic references
  • Isolate vulnerable services behind reverse proxies with request filtering capabilities

🔍 How to Verify

Check if Vulnerable:

Check package.json or dependency manifest for jjson version <= 0.1.7

Check Version:

npm list jjson (for Node.js) or check project dependency files

Verify Fix Applied:

Verify jjson version is 0.1.8 or later in package.json and test with cyclic JSON objects

📡 Detection & Monitoring

Log Indicators:

  • High CPU/memory usage spikes
  • Application crashes during JSON parsing
  • Stack overflow errors in logs

Network Indicators:

  • Unusually large JSON payloads
  • Repeated JSON parsing requests

SIEM Query:

source=application_logs AND ("stack overflow" OR "out of memory" OR "recursion depth") AND process="*jjson*"

📊 Metadata

CVE ID: CVE-2023-35110
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: June 14, 2023
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35110, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)