A OOM problem was found in jettison

Question

A OOM problem was found in jettison

Alex111998 opened this issue a year ago · 1 comments

Alex111998 commented a year ago

When I test the latest version(1.5.4) of jettison by CIFuzz，a OOM security issue was found, it caused when put a big number in JSONArray, may cause denial of service issues in applications via the follow code:

pom:

<dependency>
        <groupId>org.codehaus.jettison</groupId>
        <artifactId>jettison</artifactId>
        <version>1.5.4</version>
</dependency>

code:

import org.codehaus.jettison.json.JSONException;

public class JSONArray_OOM {

    public static void main(String[] args) throws JSONException {
        new org.codehaus.jettison.json.JSONArray().put(1829517625, 1.0719845412539998E291);
    }
}

Answer 1 · 2024-09-10T15:20:31.000Z

Can you demonstrate though that this is called when parsing JSON?