CVE-2023-7272 – This vulnerability in Eclipse Parsson allows at... (How to Fix)

Q: What is the severity of CVE-2023-7272?

CVE-2023-7272 has a CVSS score of 8.6 (HIGH). This vulnerability in Eclipse Parsson allows attackers to cause denial of service by sending JSON documents with deeply nested objects, triggering Java stack overflow exceptions. Any application using vulnerable versions of Eclipse Parsson for JSON processing is affected, particularly web services and APIs that accept JSON input.

📋 TL;DR

This vulnerability in Eclipse Parsson allows attackers to cause denial of service by sending JSON documents with deeply nested objects, triggering Java stack overflow exceptions. Any application using vulnerable versions of Eclipse Parsson for JSON processing is affected, particularly web services and APIs that accept JSON input.

💻 Affected Systems

Products:

Eclipse Parsson

Versions: All versions before 1.0.4 and 1.1.3

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Parsson for JSON parsing without input depth limits is vulnerable.

📦 What is this software?

Parsson by Eclipse

View all CVEs affecting Parsson →

Parsson by Eclipse

View all CVEs affecting Parsson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to stack overflow crashes, potentially affecting multiple services if shared library is used.

🟠

Likely Case

Targeted denial of service against specific endpoints that process JSON, causing intermittent service disruptions.

🟢

If Mitigated

Limited impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious JSON payloads to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.4 or 1.1.3

Vendor Advisory: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12

Restart Required: Yes

Instructions:

1. Update Parsson dependency to version 1.0.4 or 1.1.3. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Implement JSON depth validation

all

Add input validation to limit maximum nesting depth of JSON documents before parsing

Configure JVM stack size

all

Increase Java stack size to reduce likelihood of overflow (temporary mitigation)

java -Xss2m -jar yourapp.jar

🧯 If You Can't Patch

Implement WAF rules to block JSON documents with excessive nesting depth
Deploy rate limiting on JSON processing endpoints to limit attack impact

🔍 How to Verify

Check if Vulnerable:

Check Parsson version in dependencies: mvn dependency:tree | grep parsson or gradle dependencies | grep parsson

Check Version:

java -cp "parsson-*.jar" org.eclipse.parsson.Version

Verify Fix Applied:

Confirm Parsson version is 1.0.4+ or 1.1.3+ in dependency manifest

📡 Detection & Monitoring

Log Indicators:

StackOverflowError in logs
OutOfMemoryError related to JSON parsing
Abnormal termination of JSON processing threads

Network Indicators:

Large JSON payloads with repeated nesting patterns
Sudden spikes in JSON processing requests

SIEM Query:

source="application.logs" AND ("StackOverflowError" OR "java.lang.StackOverflowError") AND "JSON"

📊 Metadata

CVE ID: CVE-2023-7272

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-787

Published: July 17, 2024

Last Updated: February 6, 2025

🔗 References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12 Exploit,Issue Tracking,Vendor Advisory
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-7272, you might also want to check these: