CVE-2022-23459 in Jsonxx
Summary
by MITRE • 08/19/2022
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/28/2025
The vulnerability CVE-2022-23459 affects Jsonxx, a popular C++ JSON parsing library that has been archived and is no longer maintained. This issue stems from improper memory management within the Value class implementation, creating conditions that can result in memory corruption through either double free or use-after-free scenarios. The root cause lies in the default assignment operator of the Value class which handles pointer types without properly updating the pointer references when dealing with alterable data structures. This flaw represents a classic memory safety issue that can be exploited to compromise system integrity and potentially execute arbitrary code.
The technical implementation of this vulnerability demonstrates poor handling of object lifetimes and resource management patterns in C++ code. When the Value class's default assignment operator processes pointer types, it fails to maintain proper pointer consistency across object copies, leading to scenarios where the same memory location may be freed multiple times or accessed after deallocation. This behavior directly aligns with CWE-415, which describes double free conditions, and CWE-416, which covers use-after-free vulnerabilities. The issue is particularly dangerous because it occurs during normal operation of the JSON parsing functionality, making exploitation relatively straightforward for attackers who can craft malicious JSON input.
From an operational perspective, this vulnerability poses significant risks to systems that rely on Jsonxx for JSON processing, especially in environments where untrusted input is processed. The archived status of the project means that no security patches or updates will be forthcoming, leaving affected systems vulnerable to exploitation. Attackers could leverage this vulnerability to achieve arbitrary code execution, data corruption, or denial of service conditions, depending on how the memory corruption manifests in the target environment. The impact is particularly severe in server applications, web services, or embedded systems that process JSON data from external sources without proper validation.
Organizations using Jsonxx should immediately implement mitigation strategies to address this vulnerability. The primary recommendation is to replace Jsonxx with a maintained, secure alternative such as nlohmann/json, jsoncpp, or other actively supported JSON libraries. Additionally, implementing input validation and sanitization measures can help reduce the attack surface, though these approaches do not address the underlying memory corruption issue. System administrators should also consider monitoring for unusual memory allocation patterns or application crashes that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1059.007 for command and scripting interpreter, as exploitation could enable attackers to execute malicious commands through compromised memory operations. Given the archived nature of Jsonxx, the most effective long-term solution involves migrating to modern, actively maintained JSON libraries that incorporate proper memory safety mechanisms and regular security updates to prevent similar vulnerabilities from arising in the future.