jsonrpc4j, Infinite Loop Vulnerability (Moderate)

Listen to this Post

This vulnerability exists within the `NoCloseOutputStream.java` class of the jsonrpc4j library. When processing specific RPC stream responses, the `write` method enters a `while` loop that reads data from an InputStream. The loop’s exit condition is dependent on the `read` method returning -1, signifying end-of-stream. However, if the underlying stream is malformed or implemented in a way that never returns `-1` (e.g., a slow or malfunctioning network source), the exit condition becomes unreachable. This causes an infinite loop, consuming 100% of a CPU core indefinitely. The thread becomes unresponsive, leading to denial-of-service for that processing thread and potential resource exhaustion on the host system if multiple requests are exploited.
Platform: jsonrpc4j
Version: < 1.7.0
Vulnerability : Infinite Loop
Severity: Moderate
date: 2026-01-27

Prediction: 2026-01-28

What Undercode Say:

Analytics:

find . -name ".jar" -exec sh -c 'unzip -l "$1" 2>/dev/null | grep -q NoCloseOutputStream && echo "Vulnerable jar: $1"' _ {} \;
mvn dependency:tree | grep jsonrpc4j
// Vulnerable code path in NoCloseOutputStream.write()
public void write(byte b[], int off, int len) throws IOException {
while (len > 0) {
int read = in.read(b, off, len); // If `read` never returns -1, loop is infinite.
if (read == -1) {
break;
}
off += read;
len -= read;
}
}

How Exploit:

An attacker crafts or manipulates an RPC request/response so that the associated `InputStream` provided to `NoCloseOutputStream` never signals end-of-file. This causes the consuming service thread to enter the infinite `write` loop, permanently occupying CPU and halting further request processing for that thread.

Impact:

Denial-of-Service (DoS). Resource exhaustion (CPU). Application thread starvation.

Protection from this CVE:

Upgrade to jsonrpc4j version 1.7.0 or later. The patch modifies the loop logic to have a guaranteed exit condition, preventing the infinite loop scenario.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top