CVE-2023-51080 – A stack overflow vulnerability in hutool-core's... (How to Fix)

Q: What is the severity of CVE-2023-51080?

CVE-2023-51080 has a CVSS score of 7.5 (HIGH). A stack overflow vulnerability in hutool-core's NumberUtil.toBigDecimal method allows attackers to cause denial of service by providing specially crafted input. This affects applications using vulnerable versions of the hutool library for Java data processing. The vulnerability can be triggered remotely if the application processes untrusted input through this method.

📋 TL;DR

A stack overflow vulnerability in hutool-core's NumberUtil.toBigDecimal method allows attackers to cause denial of service by providing specially crafted input. This affects applications using vulnerable versions of the hutool library for Java data processing. The vulnerability can be triggered remotely if the application processes untrusted input through this method.

💻 Affected Systems

Products:

hutool-core

Versions: v5.8.23 (specifically mentioned), potentially earlier versions with same code

Operating Systems: All platforms running Java applications with hutool

Default Config Vulnerable: ⚠️ Yes

Notes: Any Java application using hutool-core's NumberUtil.toBigDecimal method with untrusted input is vulnerable. The vulnerability is in the library itself, not dependent on specific application configurations.

📦 What is this software?

Hutool by Hutool

View all CVEs affecting Hutool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash and denial of service, potentially leading to system instability if the JVM crashes due to stack exhaustion.

🟠

Likely Case

Application becomes unresponsive or crashes when processing malicious input through the vulnerable method, causing service disruption.

🟢

If Mitigated

Limited impact with proper input validation and error handling preventing malicious input from reaching the vulnerable function.

🌐 Internet-Facing: MEDIUM - Applications that accept untrusted numeric input via web interfaces or APIs could be vulnerable to DoS attacks.

🏢 Internal Only: LOW - Internal systems with controlled input sources have lower exposure, but risk exists if processing untrusted data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit by providing input that triggers deep recursion. Public GitHub issues demonstrate the problem and potential exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.8.24 or later

Vendor Advisory: https://github.com/dromara/hutool/issues/3423

Restart Required: Yes

Instructions:

1. Update hutool-core dependency to v5.8.24 or later in your project's build configuration (pom.xml for Maven, build.gradle for Gradle). 2. Rebuild your application. 3. Redeploy the updated application. 4. Restart the application server/container.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement input validation before calling NumberUtil.toBigDecimal to prevent malicious input

// Java code example:
// Validate input length before processing
if (inputString != null && inputString.length() < 1000) {
    BigDecimal result = NumberUtil.toBigDecimal(inputString);
}

Custom BigDecimal parsing

all

Replace NumberUtil.toBigDecimal calls with Java's built-in BigDecimal constructor with validation

// Java code example:
// Use BigDecimal constructor directly with validation
try {
    BigDecimal result = new BigDecimal(inputString);
} catch (NumberFormatException e) {
    // Handle invalid input
}

🧯 If You Can't Patch

Implement strict input validation and sanitization for all numeric inputs
Add rate limiting and request filtering to prevent DoS attacks

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml, build.gradle) for hutool-core version 5.8.23 or earlier. Also check deployed JAR files for vulnerable version.

Check Version:

For Maven: mvn dependency:tree | grep hutool-core
For Gradle: gradle dependencies | grep hutool-core
For deployed JAR: java -jar your-app.jar --version (if supported) or check MANIFEST.MF

Verify Fix Applied:

Verify hutool-core version is 5.8.24 or later in dependencies and deployed application. Test that NumberUtil.toBigDecimal handles various inputs without crashing.

📡 Detection & Monitoring

Log Indicators:

StackOverflowError exceptions in logs
Application crashes or restarts
High CPU usage followed by process termination
Repeated failed requests to endpoints processing numeric input

Network Indicators:

Unusually large numeric values in requests
Repeated requests with similar payloads causing timeouts
Traffic patterns suggesting DoS attempts

SIEM Query:

source="application.logs" AND ("StackOverflowError" OR "java.lang.StackOverflowError") AND "NumberUtil.toBigDecimal"

📊 Metadata

CVE ID: CVE-2023-51080

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: December 27, 2023

Last Updated: September 12, 2025

🔗 References

https://github.com/dromara/hutool/issues/3423 Exploit,Issue Tracking,Patch
https://github.com/dromara/hutool/issues/3423 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51080, you might also want to check these: