Skip to main content

Eclipse Parsson CVE-2026-9563

| EUVDEUVD-2026-41258 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-02 eclipse GHSA-q86x-4w7f-8hrm
7.5
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated attacker sends untrusted JSON with no interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only resource exhaustion, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 08:50 vuln.today

DescriptionCVE.org

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.

AnalysisAI

Denial of service in Eclipse Parsson before 1.1.8 lets remote unauthenticated attackers exhaust CPU and memory on any application that parses attacker-controlled JSON. Because the parser enforced no default cap on characters consumed per document, a single oversized payload - large arrays, strings, numbers, deep nesting, or whitespace - can hang or crash the service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint parsing untrusted JSON
Delivery
Craft oversized/deeply-nested JSON document
Exploit
Submit payload to parser
Execution
Parser consumes unbounded CPU/memory
Impact
Service exhaustion and denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application parse attacker-controlled JSON input through Eclipse Parsson at a version before 1.1.8; any endpoint accepting an untrusted JSON body, query, or message and passing it to Parsson's parser qualifies. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) accurately reflects a network-reachable, low-complexity, unauthenticated availability-only impact - no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single crafted JSON payload - for example a multi-hundred-megabyte deeply nested object or a giant string/number - to a public API endpoint whose handler parses the body with a pre-1.1.8 Parsson. The parser consumes CPU and heap without bound, driving the service to unresponsiveness or OutOfMemoryError, and repeated requests keep it down. …
Remediation Vendor-released patch: upgrade org.eclipse.parsson:parsson to 1.1.8 or later (https://repo.maven.apache.org/maven2/org/eclipse/parsson/parsson/1.1.8/), which introduces a configurable parsing limit defaulting to 15 million parser-consumed characters; review the Eclipse advisory at https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444 and the fix in PR https://github.com/eclipse-ee4j/parsson/pull/169 (commit 134e8d101aa74c8b9302d0cb62f6ccb4912a9d0c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all applications and microservices using Eclipse Parsson and classify by criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy