CVE-2026-9563 in Parsson
Summary
by MITRE • 07/02/2026
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/02/2026
The Eclipse Parsson JSON parser vulnerability represents a critical denial of service weakness that affects applications relying on this library for JSON processing. This flaw exists in versions prior to 1.1.8 where the parser lacks inherent limits on character consumption during document parsing operations. The vulnerability stems from the absence of any default maximum threshold for the number of characters that can be processed in a single JSON document, creating an exploitable condition where malicious actors can craft oversized JSON payloads to overwhelm system resources.
The technical implementation flaw resides in the parser's design philosophy which assumes unlimited input processing without resource constraints. This approach directly violates established security principles and industry standards such as CWE-770, which addresses allocation of resources without proper limits, and aligns with ATT&CK technique T1499.1 for resource exhaustion attacks. When applications parse JSON data from untrusted sources using the vulnerable Parsson versions, they become susceptible to excessive CPU utilization and memory consumption patterns that can cause system instability or complete service disruption.
The operational impact of this vulnerability extends beyond simple resource exhaustion to encompass broader system reliability concerns. Applications that process attacker-controlled JSON input, including web services, APIs, and backend systems, face significant risk when running vulnerable Parsson versions. The attack vector is particularly dangerous because it can exploit nested structures, large arrays, extensive strings, or excessive whitespace to consume resources exponentially. This vulnerability affects any system where JSON parsing occurs without proper input validation or resource limitation mechanisms, making it a widespread concern across many application architectures that depend on the affected library.
The remediation approach implemented in Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default setting of 15 million parser-consumed characters, providing administrators with both protection and flexibility. This solution addresses the core issue by establishing clear resource boundaries while allowing organizations to adjust limits based on their specific operational requirements. The fix aligns with defensive programming practices recommended in OWASP Top Ten and follows the principle of least privilege by imposing necessary constraints on input processing. Organizations should immediately upgrade to version 1.1.8 or later, configure appropriate parsing limits based on their application needs, and implement additional input validation measures to prevent exploitation of this vulnerability across their entire software ecosystem.