CVE-2023-34617: 
Java vulnerability analysis and mitigation

An issue was discovered in Genson through version 1.6 that allows attackers to cause a denial of service via crafted objects that use cyclic dependencies. The vulnerability was disclosed on May 26, 2023, and is tracked as CVE-2023-34617. The affected component is the JSON parsing functionality in the Genson library (NVD, GitHub Issue).

The vulnerability stems from the library's handling of deeply nested JSON structures. When parsing untrusted JSON input, the parser can crash with a StackOverflowError due to recursive processing of nested arrays or JSON objects. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

The vulnerability can be exploited to cause denial of service conditions in applications using the Genson library. When processing maliciously crafted JSON input with cyclic dependencies, the application can crash due to stack overflow, making the service unavailable (GitHub Issue).

Two potential solutions have been suggested based on similar vulnerabilities in other JSON parsers: 1) Adding depth tracking to limit parsing depth, similar to jackson-databind's approach, or 2) Changing the recursive processing to use stack+iteration processing, similar to GSON's solution (GitHub Issue).