Prototype Pollution
In JavaScript, parsing JSON with keys like '__proto__' or 'constructor' can modify the Object prototype if the parser or subsequent code uses unsafe operations. This can allow attackers to inject properties into all objects in the application. Modern JSON.parse() is immune, but object merging libraries used on parsed JSON may be vulnerable.
Deeply Nested JSON Attacks
Deeply nested JSON requires recursive processing that can exhaust stack space or consume excessive CPU time. An attacker sending JSON nested thousands of levels deep can cause server denial of service. Robust parsers impose nesting depth limits.
Large Number and String Attacks
Very large numbers and very long strings in JSON can cause memory exhaustion during parsing. Rate limiting and request body size limits protect against this. Ensure your web server has a reasonable body size limit.
Injection via Embedded JSON
If application code directly embeds externally-sourced JSON strings into JavaScript, injection attacks become possible. An attacker controls a JSON value containing </script> which terminates the script block. Always use proper serialization libraries rather than string concatenation for embedding JSON in HTML.
JSON security requires attention to prototype pollution in JavaScript, nesting depth limits, request size limits, and safe JSON-in-HTML embedding. Most issues are preventable with proper library choices and framework defaults.