CVE-2018-18855

Uncontrolled Resource Consumption in Spray JSON

Published: 6/28/2022Modified: 9/30/2025

Description

Recursive decent parsers are susceptible too StackOverflowExceptions on too deeply nested structures as currently "open" parsing state is kept on the stack.

Affected packages (12)

Maven/io.spray:spray-json_2.10from 0, < 1.3.5
Maven/io.spray:spray-json_2.11from 0, < 1.3.5
Maven/io.spray:spray-json_2.11.0-RC4from 0
Maven/io.spray:spray-json_2.12from 0, < 1.3.5
Maven/io.spray:spray-json_2.12.0-M3from 0
Maven/io.spray:spray-json_2.12.0-M5from 0
Maven/io.spray:spray-json_2.12.0-RC1from 0
Maven/io.spray:spray-json_2.12.0-RC2from 0
Maven/io.spray:spray-json_2.13.0-M2from 0
Maven/io.spray:spray-json_2.13.0-M4from 0
Maven/io.spray:spray-json_2.13.0-M5from 0, < 1.3.5
Maven/io.spray:spray-json_2.9.3from 0

References (3)

PATCHhttps://github.com/spray/spray-json
WEBhttps://github.com/spray/spray-json/pull/284
WEBhttps://security.snyk.io/vuln/SNYK-JAVA-IOSPRAY-72601