Spray-json 1.3.5 security fix released

Hello everyone,

we just released spray-json 1.3.5 which contains security fixes for a few Denial Of Service vulnerabilities:

  • CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
  • CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
  • CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)

We’d like to say thanks to Andriy Plokhotnyuk who brought the first two issues to our attention.

Please update as soon as possible. See the release notes at https://github.com/spray/spray-json/releases/tag/v1.3.5 for further information.

Johannes from the Akka team

1 Like