Avoid running out of memory when parsing heavily nested arrays or objects (#1226) (#1227)

mergify[bot] · mkurz · web-flow · commit 43eb60ed950c · 2025-10-10T11:06:44.000+02:00
Just like Jackson 2.15+ we restrict the maximum allowed number of nested arrays or objects (or mixed) to 1000. This default can be changed via a sys property. 1000 should be enough for most real world use cases. Note this is about OutOfMemoryError's, not about StackOverflowError's. StackOverflowError's are not a problem since we use a @tailrec optimized method. Therefore this fix is not 100% about CVE-2025-52999 (which in theory we do not run into) but just an additional precaution. (cherry picked from commit 9722c66) Co-authored-by: Matthias Kurz <m.kurz@irregular.at>
diff --git a/play-json/jvm/src/test/scala/play/api/libs/json/JsonSpec.scala b/play-json/jvm/src/test/scala/play/api/libs/json/JsonSpec.scala
@@ -4,6 +4,8 @@
 
 package play.api.libs.json
 
+import com.fasterxml.jackson.core.exc.StreamConstraintsException
+
 import java.math.BigInteger
 import java.util.Calendar
 import java.util.Date
@@ -561,5 +563,70 @@ class JsonSpec extends org.specs2.mutable.Specification {
       parsed.asInstanceOf[JsObject].fields.mustEqual(original.fields)
       Json.stringify(parsed).mustEqual(originalString)
     }
+
+    "allow parsing objects nested up to max depth" in {
+      try {
+        val depth = 1000
+        Json.parse(("{\"obj\":" * depth) + "1" + ("}" * depth))
+      } catch {
+        case _: StackOverflowError =>
+          ko("StackOverflowError thrown")
+        case _: OutOfMemoryError =>
+          ko("OutOfMemoryError thrown")
+      }
+      ok
+    }
+
+    "disallow parsing nested objects exceeding max depth" in {
+      val depth = 1001
+      Json
+        .parse(("{\"obj\":" * depth) + "1" + ("}" * depth))
+        .must(throwA[StreamConstraintsException].like { case e: StreamConstraintsException =>
+          e.getMessage.must(
+            equalTo(
+              "Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamReadConstraints.getMaxNestingDepth()`)"
+            )
+          )
+        })
+    }
+
+    "allow parsing heavily nested mixed arrays and objects" in {
+      try {
+        val depth = 1000 - 2 // in the string two open objects { are hardcoded
+        Json.parse("{\"foo\":  {\"arr\":" + ("[" * depth) + "1" + ("]" * depth) + "}}")
+      } catch {
+        case _: StackOverflowError =>
+          ko("StackOverflowError thrown")
+        case _: OutOfMemoryError =>
+          ko("OutOfMemoryError thrown")
+      }
+      ok
+    }
+
+    "disallow parsing heavily nested mixed arrays and objects" in {
+      val depth = 1001 - 2 // in the string two open objects { are hardcoded
+      Json
+        .parse("{\"foo\":  {\"arr\":" + ("[" * depth) + "1" + ("]" * depth) + "}}")
+        .must(throwA[StreamConstraintsException].like { case e: StreamConstraintsException =>
+          e.getMessage.must(
+            equalTo(
+              "Document nesting depth (1001) exceeds the maximum allowed (1000, from `StreamReadConstraints.getMaxNestingDepth()`)"
+            )
+          )
+        })
+    }
+  }
+
+  "allow parsing many non-nested arrays and objects, not relevant for depth check" in {
+    try {
+      val repeat = 9999 // 10 thousand in total
+      Json.parse("{\"foo\": [" + ("{\"arr\":[1]}," * repeat) + "{\"arr\":[1]}]}")
+    } catch {
+      case _: StackOverflowError =>
+        ko("StackOverflowError thrown")
+      case _: OutOfMemoryError =>
+        ko("OutOfMemoryError thrown")
+    }
+    ok
   }
 }
