CVE-2022-45688

HIGH

hutool-json 5.8.10 - Denial of Service via XML.toJSONObject Stack Overflow

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2022-45688. PoCs published by scabench.

AI-analyzed exploit summary This repository demonstrates CVE-2022-45688, a stack overflow vulnerability in json.org's XML-to-JSON conversion. It includes a shaded (manually embedded) vulnerable version of json.org and a test case to trigger the crash.

Description

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Exploits (5)

nomisec WORKING POC 1 stars

by scabench · poc

https://github.com/scabench/jsonorg-fn1

View Code ZIP pw:eip

This repository demonstrates CVE-2022-45688, a stack overflow vulnerability in json.org's XML-to-JSON conversion. It includes a shaded (manually embedded) vulnerable version of json.org and a test case to trigger the crash.

Classification

Working Poc | Scanner | Writeup 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: json.org (shaded version 20220924)

No auth needed

Prerequisites: Malicious XML input to trigger stack overflow

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by scabench · poc

https://github.com/scabench/jsonorg-tp1

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2022-45688, demonstrating a stack overflow vulnerability in the json.org library when processing maliciously crafted XML input. The test case triggers the vulnerability by providing a large repeated XML string, causing a StackOverflowError.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: org.json:json version 20220924

No auth needed

Prerequisites: Java runtime environment · json.org library version 20220924

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by scabench · poc

https://github.com/scabench/jsonorg-fp3

View Code ZIP pw:eip

This repository demonstrates a false positive for CVE-2022-45688 in json.org by implementing a sanitization check to prevent stack overflow in XML-to-JSON conversion. It includes scripts for running software composition analyses and a test case to confirm the vulnerability is mitigated.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Theoretical

Target: org.json:json:20220924

No auth needed

Prerequisites: Input with excessive nested XML tags to trigger stack overflow

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by scabench · poc

https://github.com/scabench/jsonorg-fp2

View Code ZIP pw:eip

This repository demonstrates a false positive for CVE-2022-45688 in json.org, showing that static analysis tools may flag the vulnerability even when the input is hardcoded and non-exploitable. It includes a test case to confirm the vulnerability but does not provide a working exploit.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Theoretical

Target: org.json:json (20220924)

No auth needed

Prerequisites: Presence of vulnerable json.org library · Ability to control input to XML.toJSONObject()

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by scabench · poc

https://github.com/scabench/jsonorg-fp1

View Code ZIP pw:eip

This repository demonstrates a false positive for CVE-2022-45688 in the json.org library. It includes a simple application that does not invoke the vulnerable class, highlighting the difference between metadata-based and callgraph-based software composition analyses.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Theoretical

Target: org.json:json:20220924

No auth needed

Prerequisites: Presence of the json.org library in the dependency tree

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Issue Tracking, Third Party Advisory

https://github.com/dromara/hutool/issues/2748

Exploit, Issue Tracking, Third Party Advisory

https://github.com/stleary/JSON-java/issues/708

Scores

CVSS v3 7.5

EPSS 0.0128

EPSS Percentile 80.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-787

Status published

Products (4)

cn.hutool/hutool-json 0 - 5.8.25Maven

hutool/hutool 5.8.10

org.json/json 0 - 20230227Maven

stleary/json-java < 20230227

Published Dec 13, 2022

Tracked Since Feb 18, 2026