CVE-2023-34610: 
Java vulnerability analysis and mitigation

An issue was discovered in json-io through version 4.14.0 that allows attackers to cause a denial of service via a crafted object using cyclic dependencies. The vulnerability was assigned CVE-2023-34610 and was disclosed in June 2023 (NVD).

The vulnerability stems from the json-io library's handling of deeply nested JSON structures. When parsing untrusted JSON input, the parser can crash due to a stack overflow error, particularly when processing arrays with excessive nesting levels. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (NVD).

The primary impact of this vulnerability is the potential for denial of service attacks. When exploited, the vulnerability can cause the application to crash due to stack overflow errors, making the service unavailable to legitimate users (Red Hat).

Users should avoid using json-io versions 4.14.0 and earlier. The recommended solution involves implementing depth checking during parsing to prevent excessive recursion, similar to approaches taken by other JSON parsers like Jackson-databind and GSON (FortiGuard).