Skip to content

Potential DoS Vulnerability: Deeply Nested JSON Causes ArrayIndexOutOfBoundsException #35

Description

@wx0602

Summary

I identified a potential denial-of-service vulnerability in OWASP json-sanitizer when processing deeply nested JSON input.

If the nesting depth exceeds the default maximum (64 levels), JsonSanitizer.sanitize() may throw an unhandled ArrayIndexOutOfBoundsException, which can crash applications that rely on the library.


Impact

This issue could allow attackers to disrupt services by sending specially crafted JSON payloads, potentially resulting in denial of service in applications that sanitize untrusted input.


Affected Component

  • com.google.json.JsonSanitizer.sanitize()
  • Internal nesting depth tracking logic

Tested Versions

  • json-sanitizer 1.2.2
  • json-sanitizer 1.2.3
  • json-sanitizer 1.2.4-SNAPSHOT

Reproduction (High-Level)

To avoid misuse, I am not publishing a weaponized exploit publicly.
However, the issue can be reproduced by processing JSON input with nesting depth greater than the default maximum (e.g., >64 levels), which results in an out-of-bounds array access.

I am happy to share a full proof-of-concept privately with maintainers.


Suggested Fix

Add a strict nesting depth check before writing to the internal depth tracking array, and gracefully reject input that exceeds the configured maximum depth instead of throwing runtime exceptions.


Responsible Disclosure

This report follows responsible disclosure practices.
Please let me know the best secure channel to share detailed reproduction steps.


Credits

Discovered by an Independent Security Researcher.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions