How FastJSON’s \x Escape Bug Triggers OOM and Which Versions to Upgrade

Vulnerability Background

On September 5, 2019 fastjson committed 995845170527221ca0293cf290e33a7d6cb52bf7 to fix a potential OOM issue when a string contains \x escape characters.

360CERT assessed the vulnerability as high impact: attackers can send crafted requests that stall the current thread, and massive malicious requests may bring down the entire service.

Users are advised to verify their components and upgrade fastjson to at least version 1.2.60.

Vulnerability Details

The flaw lies in com.alibaba.fastjson.parser.JSONLexerBase#scanString. When parsing a JSON string, fastjson reads characters after a leading \x and concatenates the next two characters to form a full hexadecimal byte. If the JSON string ends with \x, fastjson does not validate it and continues to read two more characters, eventually reaching \u001A (EOF).

Subsequent parsing repeatedly reads EOF and writes it into memory until an Out‑Of‑Memory error occurs.

Affected Versions

All fastjson versions earlier than 1.2.60.

Mitigation Recommendations

Upgrade 1.1.15–1.1.31 to 1.1.31.sec07

Upgrade 1.1.32–1.1.33 to 1.1.33.sec06

Upgrade 1.1.34 to 1.1.34.sec06

Upgrade 1.1.35–1.1.46 to 1.1.46.sec06

Upgrade 1.2.3–1.2.7 to 1.2.7.sec06 or 1.2.8.sec04

Upgrade 1.2.8 to 1.2.8.sec06

Upgrade 1.2.9–1.2.29 to 1.2.29.sec06

Timeline

2019‑09‑03 fastjson submitted the fix commit.

2019‑09‑05 360CERT issued the advisory.

2019‑09‑07 weekend overtime to upgrade.

Note: Jackson also released several versions to address similar issues.