CVE-2024-57699
Published: 05 February 2025
Summary
CVE-2024-57699 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-57699 is a stack exhaustion vulnerability affecting Netplex Json-smart versions 2.5.0 through 2.5.1. The issue arises when processing a specially crafted JSON input containing a large number of opening braces ('{'), triggering uncontrolled recursion and leading to denial of service (DoS). This flaw stems from an incomplete fix for the prior vulnerability CVE-2023-1370 and is classified under CWE-674 (Uncontrolled Recursion), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying the malformed JSON input to an affected Json-smart parser, the attacker can exhaust the stack, causing the application to crash or become unresponsive and disrupting availability.
References for CVE-2024-57699 include a GitHub repository containing a proof-of-concept exploit at https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699 and the NVD detail page for the related CVE-2023-1370 at https://nvd.nist.gov/vuln/detail/cve-2023-1370. No specific patch or mitigation details are outlined in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53713
Vulnerability details
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of…
more
Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct stack exhaustion DoS via remote JSON input maps to application exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the stack exhaustion vulnerability by requiring timely patching of the affected Json-smart library versions.
Information input validation prevents processing of specially crafted JSON inputs with excessive opening braces that trigger uncontrolled recursion.
Denial-of-service protection implements mechanisms to block or mitigate stack exhaustion attacks exploiting malformed JSON inputs.