<Vulnerability name="CVE-2026-9563">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-02T07:33:25</PublicDate>
    <Bugzilla id="2496411" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496411" xml:lang="en:us">
org.eclipse.parsson/parsson: Eclipse Parsson: Denial of Service via uncontrolled resource consumption in JSON parsing
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-770</CWE>
    <Details xml:lang="en:us" source="Mitre">
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Eclipse Parsson. The JSON parser did not enforce a default maximum on the number of characters consumed while processing a single JSON document. A remote attacker could exploit this by providing a very large, specially crafted JSON document. This could force applications to consume excessive CPU and memory, leading to a denial of service (DoS).
    </Details>
    <Statement xml:lang="en:us">
This is an Important denial of service vulnerability in Eclipse Parsson, a JSON processing library. Applications within Red Hat products that parse untrusted or attacker-controlled JSON documents are susceptible to excessive CPU and memory consumption. This can lead to resource exhaustion and service unavailability due to the parser not enforcing limits on the size or complexity of JSON input.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:cryostat:4">
        <ProductName>Cryostat 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-log-sink-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-serverless-1/kn-eventing-integrations-timer-source-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_quarkus:3">
        <ProductName>Red Hat build of Apache Camel 4 for Quarkus 3</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_spring_boot:4">
        <ProductName>Red Hat build of Apache Camel for Spring Boot 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:apache_camel_hawtio:4">
        <ProductName>Red Hat build of Apache Camel - HawtIO 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:apicurio_registry:3">
        <ProductName>Red Hat build of Apicurio Registry 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:debezium:3">
        <ProductName>Red Hat build of Debezium 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhbk/keycloak-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhbk/keycloak-rhel9-operator</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhbk-openshift-rhel9/rhbk-openshift-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhbk-rhel9-operator/rhbk-rhel9-operator</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:quarkus:3">
        <ProductName>Red Hat build of Quarkus</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhoai/odh-trustyai-service-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>devspaces/multicluster-redirector-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Affected</FixState>
        <PackageName>devspaces/openvsx-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Affected</FixState>
        <PackageName>devspaces/pluginregistry-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:2">
        <ProductName>streams for Apache Kafka 2</ProductName>
        <FixState>Affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:3">
        <ProductName>streams for Apache Kafka 3</ProductName>
        <FixState>Affected</FixState>
        <PackageName>parsson</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9563
https://nvd.nist.gov/vuln/detail/CVE-2026-9563
https://github.com/eclipse-ee4j/parsson/commit/134e8d101aa74c8b9302d0cb62f6ccb4912a9d0c
https://github.com/eclipse-ee4j/parsson/pull/169
https://github.com/eclipse-ee4j/parsson/tree/1.1.8
https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444
https://repo.maven.apache.org/maven2/org/eclipse/parsson/parsson/1.1.8/
    </References>
</Vulnerability>