Why FastJSON’s \x Escape Bug Causes OOM and How to Fix It

0x00 Vulnerability Background

On September 5, 2019, 360CERT reported that FastJSON had introduced a fix in commit 995845170527221ca0293cf290e33a7d6cb52bf7 (submitted on September 3, 2019) to address a potential OOM issue when a string contains the \x escape character.

360CERT assessed the vulnerability as high‑severity with a large impact surface. An attacker can send crafted requests that cause the current thread to stall, and a flood of such malicious requests may bring the entire service down.

Users are advised to audit their components to prevent attacks.

0x01 Vulnerability Details

The critical point lies in com.alibaba.fastjson.parser.JSONLexerBase#scanString. When a JSON string begins with \x, FastJSON reads the next two characters, concatenates them with \x, and treats the result as a full hexadecimal character.

If the JSON string ends with \x, FastJSON fails to validate it and continues to read two more characters, eventually reading \u001A (EOF). The parser then repeatedly reads EOF, writing it into memory until an OOM error is triggered.

0x02 Affected Versions

FastJSON versions prior to 1.2.60 are vulnerable.

0x03 Fix Recommendations

Upgrade 1.1.15~1.1.31 to 1.1.31.sec07

Upgrade 1.1.32~1.1.33 to 1.1.33.sec06

Upgrade 1.1.34 to 1.1.34.sec06

Upgrade 1.1.35~1.1.46 to 1.1.46.sec06

Upgrade 1.2.3~1.2.7 to 1.2.7.sec06 or 1.2.8.sec04

Upgrade 1.2.8 to 1.2.8.sec06

Upgrade 1.2.9~1.2.29 to 1.2.29.sec06

0x04 Timeline

2019-09-03 FastJSON submitted the fix commit.

2019-09-05 360CERT issued the security advisory.

0x05 References

FastJSON commit 995845170527221ca0293cf290e33a7d6cb52bf7

FastJSON PR 2692 diff