N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2018-18855

GHSA ID

GHSA-ww3v-6xjf-jv28

EPSS Score

CWE

CWE-400

Published

6/28/2022

Updated

1/12/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-18855

CVE-2018-18855: Uncontrolled Resource Consumption in Spray JSON

Recursive decent parsers are susceptible too StackOverflowExceptions on too deeply nested structures as currently "open" parsing state is kept on the stack.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2018-18855

CVE-2018-18855:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2018-18855

GHSA ID

GHSA-ww3v-6xjf-jv28

EPSS Score

CWE

CWE-400

Published

6/28/2022

Updated

1/12/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

vuln_not_found

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.spray:spray-json	maven	< 1.3.5	1.3.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from recursive descent parsing in Spray JSON's core parser. Both object and array parsing functions (parseObject/parseArray) recursively call themselves to handle nested structures. In vulnerable versions (<1.3.5), these functions lacked depth tracking, allowing attackers to craft JSON with excessive nesting that would cause StackOverflowErrors. The fix (in 1.3.5) introduced a depth counter and limit, confirming these functions were the vulnerable points. The confidence is high as recursive structure parsing is fundamental to JSON processing and the CVE explicitly calls out stack-based resource exhaustion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2018-18855: Uncontrolled Resource Consumption in Spray JSON

CVE-2018-18855:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

Technical Details

CVE-2018-18855: Uncontrolled Resource Consumption in Spray JSON

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI