VulnerableCode Package Details - pkg:maven/org.json/json@20230227

Search for packages

Vulnerability	Summary	Fixed by
VCID-e3cz-9mdx-cfhp Aliases: CVE-2023-5072 GHSA-4jq9-2xhw-jpx7	Java: DoS Vulnerability in JSON-JAVA A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.	20231013 Affected by 0 other vulnerabilities.
VCID-sc5t-vs4k-kuet Aliases: GHSA-rm7j-f5g5-27vv	Duplicate Advisory: Denial of Service in JSON-Java ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. ## Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.	20231013 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-e3cz-9mdx-cfhp
Aliases:
CVE-2023-5072
GHSA-4jq9-2xhw-jpx7

Java: DoS Vulnerability in JSON-JAVA A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.

20231013
Affected by 0 other vulnerabilities.

VCID-sc5t-vs4k-kuet
Aliases:
GHSA-rm7j-f5g5-27vv

Duplicate Advisory: Denial of Service in JSON-Java ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. ## Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

20231013
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4936-gd8t-gbcy	json stack overflow vulnerability A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.	CVE-2022-45688 GHSA-3vqj-43w4-2q58

Vulnerability

Summary

Aliases

VCID-4936-gd8t-gbcy

json stack overflow vulnerability A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

CVE-2022-45688
GHSA-3vqj-43w4-2q58

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:19:25.517990+00:00	GitLab Importer	Affected by	VCID-e3cz-9mdx-cfhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.json/json/CVE-2023-5072.yml	38.6.0
2026-06-06T04:12:38.770277+00:00	GitLab Importer	Affected by	VCID-sc5t-vs4k-kuet	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.json/json/GHSA-rm7j-f5g5-27vv.yml	38.6.0
2026-06-05T17:13:43.761950+00:00	GitLab Importer	Fixing	VCID-4936-gd8t-gbcy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.json/json/CVE-2022-45688.yml	38.6.0
2026-06-04T17:48:32.959757+00:00	GithubOSV Importer	Fixing	VCID-4936-gd8t-gbcy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json	38.6.0