7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-57699

GHSA ID

GHSA-pq2g-wx69-c263

EPSS Score

0.05204%

CWE

CWE-674

Published

2/6/2025

Updated

3/12/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-57699

CVE-2024-57699: Netplex Json-smart Uncontrolled Recursion vulnerability

A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.

The fixed version only addresses the default modes provided by JSONParser, such as MODE_RFC4627. If you create the JSONParser manually or with custom options, make sure to set the LIMIT_JSON_DEPTH option.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-57699

GHSA ID

GHSA-pq2g-wx69-c263

EPSS Score

0.05204%

CWE

CWE-674

Published

2/6/2025

Updated

3/12/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
net.minidev:json-smart	maven	>= 2.5.0, < 2.5.2	2.5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an uncontrolled recursion (stack exhaustion) when parsing a specially crafted JSON with excessive nesting. The fix involves adding the LIMIT_JSON_DEPTH flag to predefined parser modes (MODE_RFC4627, MODE_JSON_SIMPLE, MODE_STRICTEST) in JSONParser.java. This implies that before the patch, these modes were vulnerable. The JSONParser constructor (<init>) is used to create a parser instance, potentially with one of these vulnerable modes. The parse method of this JSONParser instance is then used to process the JSON input, and it's this method (and the internal recursive methods it calls for parsing objects/arrays) that would exhaust the stack if no depth limit is enforced. The added test file TestCVE202457699.java explicitly shows the instantiation of JSONParser with these modes and then calling the parse method with a malicious string designed to cause deep recursion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *oun* in N*tpl*x Json-sm*rt *.*.* t*rou** *.*.*. W**n lo**in* * sp**i*lly *r**t** JSON input, *ont*inin* * l*r** num**r o* ’{’, * st**k *x**ustion **n ** tri***r, w*i** *oul* *llow *n *tt**k*r to **us* * **ni*l o* S*rvi** (*oS).

Reasoning

T** vuln*r**ility is *n un*ontroll** r**ursion (st**k *x**ustion) w**n p*rsin* * sp**i*lly *r**t** JSON wit* *x**ssiv* n*stin*. T** *ix involv*s ***in* t** `LIMIT_JSON_**PT*` *l** to pr****in** p*rs*r mo**s (`MO**_R******`, `MO**_JSON_SIMPL*`, `MO**_

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-57699: Netplex Json-smart Uncontrolled Recursion vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI