we just released spray-json 1.3.5 which contains security fixes for a few Denial Of Service vulnerabilities:
- CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
- CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
- CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)
We’d like to say thanks to Andriy Plokhotnyuk who brought the first two issues to our attention.
Please update as soon as possible. See the release notes at https://github.com/spray/spray-json/releases/tag/v1.3.5 for further information.
Johannes from the Akka team