Skip to content

Denial-of-service from uncontrolled deep recursion in OurReader::readValue (exceed stackLimit) #1704

Description

@eglonnnn

Describe the bug
A denial-of-service vulnerability in jsoncpp 1.9.6. When OurReader::readValue() parses a deeply nested JSON array, recursive calls between readValue() and readArray() exceed the default stackLimit (1000) and throw an uncaught Json::RuntimeError, causing std::terminate() and process exit.

The crash occurs at json_reader.cpp:1041:5 in Json::OurReader::readValue(), triggered by a crafted input containing approximately 1100 consecutive [ characters.

All complete vulnerability resources, including vulnerability description, fuzzer binary, PoC payload and reproduction steps, are stored in my research repository:
https://github.com/eglonnnn/opensource-fuzz-vulnerability-research/tree/main/jsoncpp-deep-nested-array-recursion-dos

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions