Summary
I identified a potential denial-of-service vulnerability in OWASP json-sanitizer when processing deeply nested JSON input.
If the nesting depth exceeds the default maximum (64 levels), JsonSanitizer.sanitize() may throw an unhandled ArrayIndexOutOfBoundsException, which can crash applications that rely on the library.
Impact
This issue could allow attackers to disrupt services by sending specially crafted JSON payloads, potentially resulting in denial of service in applications that sanitize untrusted input.
Affected Component
com.google.json.JsonSanitizer.sanitize()
- Internal nesting depth tracking logic
Tested Versions
- json-sanitizer 1.2.2
- json-sanitizer 1.2.3
- json-sanitizer 1.2.4-SNAPSHOT
Reproduction (High-Level)
To avoid misuse, I am not publishing a weaponized exploit publicly.
However, the issue can be reproduced by processing JSON input with nesting depth greater than the default maximum (e.g., >64 levels), which results in an out-of-bounds array access.
I am happy to share a full proof-of-concept privately with maintainers.
Suggested Fix
Add a strict nesting depth check before writing to the internal depth tracking array, and gracefully reject input that exceeds the configured maximum depth instead of throwing runtime exceptions.
Responsible Disclosure
This report follows responsible disclosure practices.
Please let me know the best secure channel to share detailed reproduction steps.
Credits
Discovered by an Independent Security Researcher.
Summary
I identified a potential denial-of-service vulnerability in OWASP json-sanitizer when processing deeply nested JSON input.
If the nesting depth exceeds the default maximum (64 levels),
JsonSanitizer.sanitize()may throw an unhandledArrayIndexOutOfBoundsException, which can crash applications that rely on the library.Impact
This issue could allow attackers to disrupt services by sending specially crafted JSON payloads, potentially resulting in denial of service in applications that sanitize untrusted input.
Affected Component
com.google.json.JsonSanitizer.sanitize()Tested Versions
Reproduction (High-Level)
To avoid misuse, I am not publishing a weaponized exploit publicly.
However, the issue can be reproduced by processing JSON input with nesting depth greater than the default maximum (e.g., >64 levels), which results in an out-of-bounds array access.
I am happy to share a full proof-of-concept privately with maintainers.
Suggested Fix
Add a strict nesting depth check before writing to the internal depth tracking array, and gracefully reject input that exceeds the configured maximum depth instead of throwing runtime exceptions.
Responsible Disclosure
This report follows responsible disclosure practices.
Please let me know the best secure channel to share detailed reproduction steps.
Credits
Discovered by an Independent Security Researcher.