CVE-2026-4735
Deserialization Vulnerability in DTStack Chunjun Before
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dtstack | chunjun | to 1.16.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4735 is a vulnerability in the DTStack chunjun project related to the JSON parsing functionality in the GsonUtil.java file. The issue arises from the use of a recursive method to parse JSON data, which can cause unbounded recursion when processing deeply nested JSON structures. This unbounded recursion can lead to a stack overflow, resulting in a Denial of Service (DoS) condition.
The vulnerability was addressed by replacing the recursive parsing method with an iterative approach, which prevents excessive recursive calls and improves robustness against deeply nested JSON inputs. However, the fix requires upgrading the Gson library dependency to a compatible version.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) on systems using the affected DTStack chunjun versions before 1.16.1. By sending specially crafted deeply nested JSON data, an attacker can trigger unbounded recursion in the JSON parser, leading to a stack overflow and crashing the application or service.
Such a DoS condition can disrupt normal operations, potentially causing downtime or degraded service availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from recursive JSON parsing in the DTStack chunjun project, which can lead to stack overflow and Denial of Service (DoS) when processing deeply nested JSON inputs.
To detect this vulnerability on your system, you can monitor for crashes or DoS symptoms when the application processes JSON data, especially deeply nested JSON structures.
There are no specific commands provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The recommended mitigation is to upgrade the DTStack chunjun project to version 1.16.1 or later, where the vulnerability is fixed.
Additionally, upgrade the Gson library dependency to a version that supports an iterative JSON parsing approach, which prevents unbounded recursion and stack overflow.
Avoid using the vulnerable recursive JSON parsing method in GsonUtil.java and apply patches or pull requests that replace it with an iterative approach.