CVE-2022-45690 in WebCenter Portalinfo

Summary

by MITRE • 12/13/2022

A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/12/2025

The vulnerability identified as CVE-2022-45690 represents a critical stack overflow condition within the hutool-json library version 5.8.10, specifically within the org.json.JSONTokener.nextValue method located in JSONTokener.java. This flaw exists in the parsing logic that processes structured data formats including both JSON and XML inputs. The vulnerability stems from inadequate input validation and buffer management during the tokenization process, where the library fails to properly handle deeply nested or malformed input structures that could trigger excessive stack memory allocation.

The technical implementation of this vulnerability occurs when the JSONTokener.nextValue method processes malformed or specially crafted input data that creates recursive parsing scenarios. The flaw manifests as a stack overflow condition because the parsing algorithm does not implement proper recursion depth limits or stack usage monitoring. When attackers provide malicious input containing excessive nesting levels or circular references, the recursive parsing functions consume increasing amounts of stack space until the system stack overflows and terminates the application process. This behavior aligns with CWE-129, which describes improper handling of input that could cause stack-based buffer overflows, and also maps to ATT&CK technique T1499.004 for denial of service through resource exhaustion.

The operational impact of this vulnerability extends beyond simple service disruption to potentially enable more sophisticated attack vectors. An attacker can exploit this vulnerability by submitting carefully constructed JSON or XML payloads that cause the target application to crash or become unresponsive. The DoS condition affects any application that relies on hutool-json v5.8.10 for data parsing operations, including web applications, backend services, and enterprise systems that process user-provided structured data. The vulnerability is particularly concerning because it can be triggered through common data processing pathways, making it accessible to attackers who might not require elevated privileges or specialized knowledge to exploit.

Mitigation strategies for CVE-2022-45690 should prioritize immediate library version updates to patched releases that address the stack overflow condition. Organizations must conduct thorough dependency audits to identify all systems utilizing vulnerable hutool-json versions and implement comprehensive monitoring for exploitation attempts. The recommended remediation includes upgrading to hutool-json versions that contain proper recursion depth controls and enhanced input validation mechanisms. Additionally, implementing input sanitization layers and rate limiting for data parsing operations can provide additional defense-in-depth measures. Security teams should also consider deploying application firewalls or API gateways that can detect and block suspicious parsing patterns that might indicate exploitation attempts, while maintaining detailed logging of parsing activities for forensic analysis purposes.

Reservation

11/21/2022

Disclosure

12/13/2022

Moderation

accepted

Entry

2

Relate

show

CPE

ready

EPSS

0.00943

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!