CVE-2026-24802
📋 TL;DR
This CVE describes an infinite loop vulnerability in jsonrpc4j's NoCloseOutputStream.java that can cause denial of service. Applications using affected versions of jsonrpc4j for JSON-RPC communication are vulnerable when processing malicious or malformed requests. The vulnerability allows attackers to exhaust server resources by sending crafted payloads.
💻 Affected Systems
- briandilley/jsonrpc4j
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion (CPU/memory), potentially affecting multiple services if the vulnerable component is shared infrastructure.
Likely Case
Degraded performance or temporary service disruption for affected endpoints, requiring manual intervention to restart services.
If Mitigated
Limited impact with proper request validation, rate limiting, and resource monitoring in place.
🎯 Exploit Status
Exploitation requires sending malformed JSON-RPC requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.6.0
Vendor Advisory: https://github.com/briandilley/jsonrpc4j/pull/333
Restart Required: Yes
Instructions:
1. Update jsonrpc4j dependency to version after 1.6.0. 2. Update pom.xml or build.gradle to reference fixed version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Request validation and filtering
allImplement input validation to reject malformed JSON-RPC requests before they reach the vulnerable component.
Resource limits
linuxConfigure process/thread resource limits and timeouts to prevent infinite loops from consuming all resources.
ulimit -t 30
ulimit -v 1048576
🧯 If You Can't Patch
- Implement network-level controls like WAF rules to block suspicious JSON-RPC patterns
- Deploy monitoring with alerting for abnormal resource consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check dependency manifest (pom.xml, build.gradle) for jsonrpc4j version ≤1.6.0Check Version:
grep -i jsonrpc4j pom.xml || grep -i jsonrpc4j build.gradleVerify Fix Applied:
Verify jsonrpc4j version is >1.6.0 in dependency manifest and rebuilt application📡 Detection & Monitoring
Log Indicators:
- High CPU usage patterns
- Thread/process hanging indefinitely
- Request timeouts on JSON-RPC endpoints
Network Indicators:
- Repeated malformed JSON-RPC requests to same endpoint
- Abnormal request patterns to JSON-RPC services
SIEM Query:
source="application_logs" AND ("jsonrpc4j" OR "NoCloseOutputStream") AND ("timeout" OR "hang" OR "high_cpu")