VulnerableCode Package Details - pkg:maven/org.json/json@20231013

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-e3cz-9mdx-cfhp	Java: DoS Vulnerability in JSON-JAVA A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.	CVE-2023-5072 GHSA-4jq9-2xhw-jpx7
VCID-sc5t-vs4k-kuet	Duplicate Advisory: Denial of Service in JSON-Java ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. ## Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.	GHSA-rm7j-f5g5-27vv

Vulnerability

Summary

Aliases

VCID-e3cz-9mdx-cfhp

Java: DoS Vulnerability in JSON-JAVA A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.

CVE-2023-5072
GHSA-4jq9-2xhw-jpx7

VCID-sc5t-vs4k-kuet

Duplicate Advisory: Denial of Service in JSON-Java ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4jq9-2xhw-jpx7. This link is maintained to preserve external references. ## Original Description Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

GHSA-rm7j-f5g5-27vv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T17:19:22.330126+00:00	GithubOSV Importer	Fixing	VCID-e3cz-9mdx-cfhp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-4jq9-2xhw-jpx7/GHSA-4jq9-2xhw-jpx7.json	38.6.0
2026-06-04T17:14:12.916162+00:00	GithubOSV Importer	Fixing	VCID-sc5t-vs4k-kuet	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-rm7j-f5g5-27vv/GHSA-rm7j-f5g5-27vv.json	38.6.0
2026-06-02T04:46:19.926516+00:00	GitLab Importer	Fixing	VCID-e3cz-9mdx-cfhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.json/json/CVE-2023-5072.yml	38.6.0
2026-06-02T04:46:03.814580+00:00	GitLab Importer	Fixing	VCID-sc5t-vs4k-kuet	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.json/json/GHSA-rm7j-f5g5-27vv.yml	38.6.0