Listen to this Post
This vulnerability exists within the `NoCloseOutputStream.java` class of the jsonrpc4j library. When processing specific RPC stream responses, the `write` method enters a `while` loop that reads data from an InputStream. The loop’s exit condition is dependent on the `read` method returning -1, signifying end-of-stream. However, if the underlying stream is malformed or implemented in a way that never returns `-1` (e.g., a slow or malfunctioning network source), the exit condition becomes unreachable. This causes an infinite loop, consuming 100% of a CPU core indefinitely. The thread becomes unresponsive, leading to denial-of-service for that processing thread and potential resource exhaustion on the host system if multiple requests are exploited.
Platform: jsonrpc4j
Version: < 1.7.0
Vulnerability : Infinite Loop
Severity: Moderate
date: 2026-01-27
Prediction: 2026-01-28
What Undercode Say:
Analytics:
find . -name ".jar" -exec sh -c 'unzip -l "$1" 2>/dev/null | grep -q NoCloseOutputStream && echo "Vulnerable jar: $1"' _ {} \;
mvn dependency:tree | grep jsonrpc4j
// Vulnerable code path in NoCloseOutputStream.write()
public void write(byte b[], int off, int len) throws IOException {
while (len > 0) {
int read = in.read(b, off, len); // If `read` never returns -1, loop is infinite.
if (read == -1) {
break;
}
off += read;
len -= read;
}
}
How Exploit:
An attacker crafts or manipulates an RPC request/response so that the associated `InputStream` provided to `NoCloseOutputStream` never signals end-of-file. This causes the consuming service thread to enter the infinite `write` loop, permanently occupying CPU and halting further request processing for that thread.
Impact:
Denial-of-Service (DoS). Resource exhaustion (CPU). Application thread starvation.
Protection from this CVE:
Upgrade to jsonrpc4j version 1.7.0 or later. The patch modifies the loop logic to have a guaranteed exit condition, preventing the infinite loop scenario.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

