7.5
CVE-2026-9563
- EPSS 0.37%
- Veröffentlicht 02.07.2026 07:33:25
- Zuletzt bearbeitet 02.07.2026 17:44:12
- Quelle emo@eclipse.org
- CVE-Watchlists
- Unerledigt
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerEclipse Foundation
≫
Produkt
Eclipse Parsson
Default Statusunaffected
Version <=
1.1.7
Version
1.0.0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.286 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| emo@eclipse.org | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-400 Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://github.com/eclipse-ee4j/parsson/commit/134e8d101aa74c8b9302d0cb62f6ccb4912a9d0c
https://github.com/eclipse-ee4j/parsson/pull/169
https://repo.maven.apache.org/maven2/org/eclipse/parsson/parsson/1.1.8/
https://github.com/eclipse-ee4j/parsson/tree/1.1.8
https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444