Miggo Logo
Miggo Vulnerability Database
CVE-2022-45688

CVE-2022-45688: json stack overflow vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-45688
GHSA ID
GHSA-3vqj-43w4-2q58
EPSS Score
0.74056%
CWE
CWE-787
Published
12/13/2022
Updated
4/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.json:jsonmaven< 2023022720230227
cn.hutool:hutool-jsonmaven< 5.8.255.8.25

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Both libraries' XML-to-JSON conversion functions (XML.toJSONObject entry points) utilized recursive parsing without stack depth checks. The vulnerability manifests when converting malicious XML with hundreds/thousands of nested elements, as shown in the PoC. The patches (added maxNestingDepth checks in JSONML.java and ParseConfig in Hutool) directly address uncontrolled recursion in these functions, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* st**k ov*r*low in t** XML.toJSONO*j**t *ompon*nt o* *utool-json v*.*.** *n* or*.json:json ***or* v*rsion ******** *llows *tt**k*rs to **us* * **ni*l o* S*rvi** (*oS) vi* *r**t** JSON or XML **t*.

Reasoning

*ot* li*r*ri*s' XML-to-JSON *onv*rsion *un*tions (`XML.toJSONO*j**t` *ntry points) utiliz** r**ursiv* p*rsin* wit*out st**k **pt* ****ks. T** vuln*r**ility m*ni**sts w**n *onv*rtin* m*li*ious XML wit* *un*r**s/t*ous*n*s o* n*st** *l*m*nts, *s s*own i