Eclipse Parsson
Monthly
Denial of service in Eclipse Parsson before 1.1.8 lets remote unauthenticated attackers exhaust CPU and memory on any application that parses attacker-controlled JSON. Because the parser enforced no default cap on characters consumed per document, a single oversized payload - large arrays, strings, numbers, deep nesting, or whitespace - can hang or crash the service. No public exploit is identified at time of analysis; the fix (1.1.8) adds a configurable default limit of 15 million parser-consumed characters.
Denial of service in Eclipse Parsson before 1.1.8 lets remote unauthenticated attackers exhaust CPU and memory on any application that parses attacker-controlled JSON. Because the parser enforced no default cap on characters consumed per document, a single oversized payload - large arrays, strings, numbers, deep nesting, or whitespace - can hang or crash the service. No public exploit is identified at time of analysis; the fix (1.1.8) adds a configurable default limit of 15 million parser-consumed characters.