CVE-2026-4735
Received Received - Intake
Deserialization Vulnerability in DTStack Chunjun Before

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Deserialization of Untrusted Data vulnerability in DTStack chunjun (β€Žchunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java. This issue affects chunjun: before 1.16.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4735
EUVD
EUVD-2026-14708
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dtstack chunjun to 1.16.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4735 is a vulnerability in the DTStack chunjun project related to the JSON parsing functionality in the GsonUtil.java file. The issue arises from the use of a recursive method to parse JSON data, which can cause unbounded recursion when processing deeply nested JSON structures. This unbounded recursion can lead to a stack overflow, resulting in a Denial of Service (DoS) condition.

The vulnerability was addressed by replacing the recursive parsing method with an iterative approach, which prevents excessive recursive calls and improves robustness against deeply nested JSON inputs. However, the fix requires upgrading the Gson library dependency to a compatible version.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) on systems using the affected DTStack chunjun versions before 1.16.1. By sending specially crafted deeply nested JSON data, an attacker can trigger unbounded recursion in the JSON parser, leading to a stack overflow and crashing the application or service.

Such a DoS condition can disrupt normal operations, potentially causing downtime or degraded service availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from recursive JSON parsing in the DTStack chunjun project, which can lead to stack overflow and Denial of Service (DoS) when processing deeply nested JSON inputs.

To detect this vulnerability on your system, you can monitor for crashes or DoS symptoms when the application processes JSON data, especially deeply nested JSON structures.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The recommended mitigation is to upgrade the DTStack chunjun project to version 1.16.1 or later, where the vulnerability is fixed.

Additionally, upgrade the Gson library dependency to a version that supports an iterative JSON parsing approach, which prevents unbounded recursion and stack overflow.

Avoid using the vulnerable recursive JSON parsing method in GsonUtil.java and apply patches or pull requests that replace it with an iterative approach.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart