Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java.

This issue affects jsonrpc4j: through 1.6.0.
Published: 2026-01-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

The vulnerability originates from a loop with an unreachable exit condition in the jsonrpc4j library, classified as CWE-835. When triggered, the loop runs indefinitely, consuming CPU resources and preventing the application from processing further requests, effectively causing a denial of service. The publisher labels it as a buffer overflow, but the underlying flaw is an infinite loop rather than a memory corruption issue.

Affected Systems

The affected product is jsonrpc4j from briandilley, version 1.6.0 and earlier. Projects that embed this version and expose the JSON‑RPC endpoint may be vulnerable if proper access controls are not in place.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector would be remote, via crafted inbound requests to the JSON‑RPC service, though this is inferred from the nature of the library and not explicitly stated in the advisory. Exploitation would require an attacker to send data that triggers the loop, resulting in the service becoming unresponsive until it is restarted or a watchdog recovers it.

Generated by OpenCVE AI on April 18, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsonrpc4j to a version newer than 1.6.0, such as 1.6.1 if available, to remove the flawed loop.
  • Limit external access to the JSON‑RPC service so only trusted clients can invoke it, thereby reducing the attack surface for the infinite loop.
  • Implement application‑level watchdogs or process resource limits to detect when the service stalls and restart it automatically.

Generated by OpenCVE AI on April 18, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcx3-3q5c-r5v6 jsonrpc4j has Infinite Loop in RPC Stream Writer
History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Briandilley
Briandilley jsonrpc4j
Vendors & Products Briandilley
Briandilley jsonrpc4j

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java. This issue affects jsonrpc4j: through 1.6.0.
Title Buffer Overflow Vulnerability in briandilley/jsonrpc4j
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:L/AU:Y/R:A/V:D/RE:M/U:Amber'}

Subscriptions

Briandilley Jsonrpc4j
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T17:03:30.291Z

Reserved: 2026-01-27T08:18:43.268Z

Link: CVE-2026-24802

cve-icon Vulnrichment

Updated: 2026-01-27T17:03:25.614Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:50.187

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses