What is CVE-2023-51074?

CVE-2023-51074 is a medium-severity vulnerability in json-path v2.8.0, a library used for parsing JSON data. It is caused by a stack overflow issue in the Criteria.parse() method, which can lead to uncontrolled recursion when processing specially crafted input. Systems using json-path v2.8.0, particularly those that parse JSON paths from user inputs, may be at risk.

Who is impacted by this?

This vulnerability affects users of json-path v2.8.0 and older versions, such as 2.7.0. It is caused by a stack overflow issue in the Criteria.parse() method, which can lead to uncontrolled recursion when processing certain input. Users who use the Criteria.parse or Criteria.where methods may be at risk.

What should I do if I’m affected?

If you're affected by CVE-2023-51074, take the following steps to protect your systems:

1. Upgrade to the latest version of json-path that includes the fix from pull request #985.

2. If you're using the deprecated Criteria.parse or Criteria.where methods, switch to Filter.parse, as it is not affected by this vulnerability.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

CVE-2023-51074 is not listed in CISA's Known Exploited Vulnerabilities Catalog. This medium-severity issue, affecting json-path v2.8.0, is caused by a stack overflow in the Criteria.parse() method and was published on December 27, 2023. To address this issue, users should upgrade to the latest version of json-path and switch to the Filter.parse method, which is not affected.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as NVD-CWE-Other, which is a stack overflow issue in the Criteria.parse method of the json-path v2.8.0 software.

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page and the sources listed below.

• NVD - CVE-2023-51074

• Stack Overflow (Criteria.parse) #973

• CVE Record | CVE