Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like "\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service.
AnalysisAI
Denial of service in lwjson 1.8.1 streaming parser allows remote unauthenticated attackers to cause indefinite application hang by sending JSON strings containing escaped backslashes followed by quotes (e.g., "text\\\"). The vulnerability stems from flawed end-of-string detection logic in lwjson_stream.c that fails to properly count consecutive backslashes before quote characters. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this represents a readily exploitable availability risk for applications using lwjson_stream_parse(), though no active exploitation or POC weaponization is confirmed at time of analysis.
Technical ContextAI
lwjson is a lightweight JSON parser library designed for embedded systems and resource-constrained environments. The vulnerability resides in the streaming parser implementation (lwjson_stream.c), specifically in the string termination detection logic around lines 362-364. The flawed code checks only the immediately preceding character to determine if a closing quote is escaped, rather than implementing proper backslash escape sequence parsing that counts consecutive backslashes. In JSON specification (RFC 8259), a backslash escapes the following character, so an even number of consecutive backslashes before a quote means the quote is NOT escaped. The lwjson parser incorrectly treats any quote preceded by a single backslash as escaped, causing strings like "text\\" (which should terminate after the final quote) to never complete parsing. This is classified as CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop), a subset of improper input validation vulnerabilities that can lead to resource exhaustion.
RemediationAI
Upgrade lwjson to a patched version once released by the maintainer (https://github.com/MaJerle/lwjson). At time of analysis, no vendor-released patch version is confirmed in available references, though the GitHub repository link (https://github.com/MaJerle/lwjson/tree/develop) and specific vulnerable code location (https://github.com/MaJerle/lwjson/blob/develop/lwjson/src/lwjson/lwjson_stream.c#L362-L364) suggest maintainer awareness. A proof-of-concept demonstrating the vulnerability exists at https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103, which may aid in testing fixes. If immediate patching is not feasible, implement input validation to reject or sanitize JSON strings containing sequences of multiple consecutive backslashes before quote characters, though this may break legitimate use cases requiring escaped backslashes. Alternative mitigation: replace lwjson_stream_parse() with the standard non-streaming lwjson parser if application design permits buffering entire JSON payloads in memory, trading memory consumption for elimination of this vulnerability. For critical systems, implement watchdog timers or parsing timeouts to detect and terminate hung parser instances, limiting DOS impact to individual requests rather than full application failure, though this addresses symptoms rather than root cause.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28787
GHSA-hr45-w7f7-w9j6