Skip to content

CVE-2026-9563 (High) detected in parsson-1.1.7.jar #395

Description

@mend-bolt-for-github

CVE-2026-9563 - High Severity Vulnerability

Vulnerable Library - parsson-1.1.7.jar

Jakarta JSON Processing provider

Library home page: https://github.com/eclipse-ee4j/parsson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/parsson/parsson/1.1.7/parsson-1.1.7.jar

Dependency Hierarchy:

  • parsson-1.1.7.jar (Vulnerable Library)

Found in HEAD commit: 270465e4bf74e87253e9245ca2e1fc7ed83b0cbb

Found in base branch: master

Vulnerability Details

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.

Publish Date: 2026-07-02

URL: CVE-2026-9563

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-07-02

Fix Resolution: 1.1.8


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions