CVE-2024-57699 – This vulnerability in Netplex Json-smart 2.5.0-... (How to Fix)

Q: What is the severity of CVE-2024-57699?

CVE-2024-57699 has a CVSS score of 7.5 (HIGH). This vulnerability in Netplex Json-smart 2.5.0-2.5.1 allows attackers to cause denial of service through stack exhaustion by sending specially crafted JSON with excessive '{' characters. It affects applications using these vulnerable versions for JSON parsing. This is an incomplete fix for CVE-2023-1370.

📋 TL;DR

This vulnerability in Netplex Json-smart 2.5.0-2.5.1 allows attackers to cause denial of service through stack exhaustion by sending specially crafted JSON with excessive '{' characters. It affects applications using these vulnerable versions for JSON parsing. This is an incomplete fix for CVE-2023-1370.

💻 Affected Systems

Products:

Netplex Json-smart

Versions: 2.5.0 through 2.5.1

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using vulnerable Json-smart library for parsing untrusted JSON input

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring restart, potentially disrupting critical business functions

🟠

Likely Case

Application crashes or becomes unresponsive, requiring manual intervention to restore service

🟢

If Mitigated

Minimal impact with proper input validation and monitoring in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

PoC available on GitHub, exploitation requires sending malicious JSON payload

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.5.2 or later

Vendor Advisory: https://github.com/netplex/json-smart-v2

Restart Required: Yes

Instructions:

1. Update Json-smart dependency to version 2.5.2+ in your project. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement JSON input validation and size restrictions before parsing

Web application firewall rules

all

Block JSON payloads with excessive '{' characters or implement rate limiting

🧯 If You Can't Patch

Implement strict input validation to reject JSON with excessive nesting
Deploy WAF with rules to detect and block malicious JSON payloads

🔍 How to Verify

Check if Vulnerable:

Check project dependencies for json-smart version 2.5.0 or 2.5.1

Check Version:

mvn dependency:tree | grep json-smart OR gradle dependencies | grep json-smart

Verify Fix Applied:

Verify json-smart version is 2.5.2 or higher in dependencies

📡 Detection & Monitoring

Log Indicators:

StackOverflowError in application logs
Application crashes during JSON parsing
High memory/CPU usage spikes

Network Indicators:

Large JSON payloads with repeated '{' characters
Multiple rapid JSON parsing requests

SIEM Query:

source="application.logs" AND ("StackOverflowError" OR "json-smart" OR "JSON parsing error")

📊 Metadata

CVE ID: CVE-2024-57699

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

EPSS Score: 0.03% exploit probability (7.8th percentile)

Published: February 5, 2025

Last Updated: February 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57699, you might also want to check these: