CVE-2022-23460 is a stack-based buffer overflow vulnerability identified in the Jsonxx (also known as Json++) library, a JSON parser, writer, and reader implemented in C++. The vulnerability arises during JSON parsing operations, specifically when the library is built with Address Sanitizer (ASAN) enabled. Under these conditions, the parsing process can lead to stack exhaustion, which is a form of resource exhaustion where the call stack grows beyond its allocated limit due to uncontrolled recursion or excessive memory allocation on the stack. This stack exhaustion can cause the program using the Jsonxx library to crash, resulting in a Denial of Service (DoS). The root cause is a classic stack-based buffer overflow (CWE-121), which typically occurs when data is written beyond the boundaries of a fixed-length stack buffer, corrupting adjacent memory and potentially destabilizing the application. However, in this case, the primary impact is DoS rather than arbitrary code execution or privilege escalation. The Jsonxx project has been archived, and no patches or updates are expected to address this vulnerability. The affected versions are unspecified but include the current commit of the project at the time of discovery. Users relying on Jsonxx are strongly advised to migrate to alternative JSON parsing libraries that are actively maintained and do not exhibit this vulnerability. No known exploits have been reported in the wild, indicating that exploitation may require specific conditions or is not yet weaponized. The vulnerability does not require authentication or user interaction to be triggered, as it occurs during JSON parsing, which is typically an automated process within applications.

For European organizations, the primary impact of CVE-2022-23460 is the potential for Denial of Service in applications that utilize the Jsonxx library for JSON parsing. This can lead to service outages, application crashes, and disruption of business processes that depend on these applications. Since JSON is a widely used data interchange format, any application relying on Jsonxx for parsing JSON data could be affected. The DoS may affect availability but does not directly compromise confidentiality or integrity. However, service disruptions can have cascading effects, including loss of productivity, customer dissatisfaction, and potential regulatory scrutiny if critical services are impacted. Given that Jsonxx is an archived project with no forthcoming patches, organizations using it face a persistent risk unless they migrate to alternative libraries. The impact is more pronounced in sectors where high availability is critical, such as finance, healthcare, telecommunications, and public services. Additionally, automated systems or APIs processing external JSON inputs are at risk of being targeted to trigger crashes, potentially as part of a broader attack strategy. The absence of known exploits reduces immediate risk, but the vulnerability remains a latent threat, especially for legacy systems or niche applications that have not updated their JSON parsing components.

1. Immediate replacement of the Jsonxx library with a modern, actively maintained JSON parsing library that is known to be secure and robust, such as RapidJSON, nlohmann/json, or similar alternatives. 2. Conduct a thorough audit of all software components and dependencies to identify any usage of Jsonxx, including transitive dependencies in third-party software. 3. Implement input validation and JSON schema validation upstream to reduce the risk of malformed or malicious JSON data triggering parsing issues. 4. Where replacement is not immediately feasible, isolate applications using Jsonxx in controlled environments with resource limits (e.g., stack size limits, process sandboxing) to mitigate the impact of potential crashes. 5. Monitor application logs and crash reports for signs of stack exhaustion or abnormal termination related to JSON parsing. 6. Engage with software vendors or internal development teams to prioritize migration away from Jsonxx and incorporate secure coding practices for JSON handling. 7. For critical systems, consider deploying runtime application self-protection (RASP) or behavior-based anomaly detection to detect and respond to unusual application behavior indicative of exploitation attempts. 8. Maintain an inventory of all JSON parsing libraries in use across the organization to facilitate timely response to similar vulnerabilities in the future.