Security Patch - December, 2023

October 29, 2025

JSON-Java

A vulnerability has been identified in the JSON-Java library up to and including 20230618, tracked under the following reference:  CVE-2023-5072. This vulnerability could potentially allow an attacker to progressively increase memory usage until leading to a Denial of Service.

Due to the number of changes introduced in the library and leading up to version 20231013 containing the security fixes, we took the decision to fork the version previously embedded in Jahia and only address the security vulnerability. This reduces the testing required by our customers and will facilitate the application of this patch. This fork is not expected to receive updates in the future.

This forked version is available for download on this page (for Jahia 8.1.6.1 and below) and will ship natively with Jahia 8.1.7.0.

The next major version of Jahia, the 8.2.0.0 is currently planned to ship with the latest version json-20231013.

Note: A version of the patch library was previously published on this page, json-20070829-jahia1.jar is perfectly functional but compatible only with JDK11 and above. This page was updated with version json-20070829-jahia2.jar which is compatible with JDK8 and above.

Upgrading the JSON-Java library

This procedure has been validated with Jahia all Jahia 8.1.3+ releases. It is also expected to work on previous 7.3 versions but we strongly encourage you to upgrade to newer Jahia versions, which come with other security fixes.

When applying the patch on a cluster, it is not necessary to stop all the nodes at once. You can proceed node by node, starting with the processing one, in order to keep your sites available online. But you need to repeat the procedure on all nodes.

  1. Download the json-20070829-jahia2.jar file (MD5: 7a082c480208de3250dfb7ba27bf1a20)
  2. Make sure to have a proper backup
  3. Stop tomcat
  4. Remove the previous version of the library (json-[0-9]*.jar) from the tomcat/webapps/ROOT/WEB-INF/lib folder
  5. Add  json-20070829-jahia2.jar into the tomcat/webapps/ROOT/WEB-INF/lib folder
  6. Start tomcat

Verifying the library upgrade

To verify the library upgrade, and that you are fully protected against known vulnerabilities, you simply need to access the tools and verify that the version 20070829-jahia2 of JSON-Java is the one in use. To do so, open the Groovy console in the tools  (/modules/tools/groovyConsole.js) and execute the following Groovy script, which will display the json version in use:

Class jsonObjectClass = new org.json.JSONObject().getClass();
String classPath = jsonObjectClass.getResource(jsonObjectClass.getSimpleName() + ".class").toString();
println("Lib: " + classPath.substring(0, classPath.lastIndexOf("!")));
Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.