CVE-2024-57699
Published: 05 February 2025
Description
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.
Security Summary
CVE-2024-57699 is a stack exhaustion vulnerability affecting Netplex Json-smart versions 2.5.0 through 2.5.1. The issue arises when processing a specially crafted JSON input containing a large number of opening braces ('{'), triggering uncontrolled recursion and leading to denial of service (DoS). This flaw stems from an incomplete fix for the prior vulnerability CVE-2023-1370 and is classified under CWE-674 (Uncontrolled Recursion), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying the malformed JSON input to an affected Json-smart parser, the attacker can exhaust the stack, causing the application to crash or become unresponsive and disrupting availability.
References for CVE-2024-57699 include a GitHub repository containing a proof-of-concept exploit at https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699 and the NVD detail page for the related CVE-2023-1370 at https://nvd.nist.gov/vuln/detail/cve-2023-1370. No specific patch or mitigation details are outlined in the available information.
Details
- CWE(s)