CVE Catalog

CVE-2026-9563

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

In Eclipse Parsson before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications parsing attacker-controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, leading to a denial of service.

Risk Assessment

The risk is a potential DoS attack where a malicious large JSON document can exhaust server resources and disrupt application availability.

Recommendation

Immediately update Eclipse Parsson to version 1.1.8 or later, which introduces a configurable maximum parsing limit with a default of 15 million characters.

Original NVD description (English source)

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS