Romain Manni-Bucau

**Name of the Vulnerable Software and Affected Versions** Apache Johnzon versions 1.2.0 through 1.2.20 **Description** A malicious attacker can craft JSON input that uses large numbers, such as `1e20000000`, which Apache Johnzon will deserialize into `BigDecimal`. This may result in a slow conversion, posing a denial of service risk. The issue is related to the deserialization of untrusted data and can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Apache Johnzon versions 1.2.0 through 1.2.20, update to Apache Johnzon 1.2.21, which mitigates this issue by setting a scale limit of 1000 to the `BigDecimal` by default. As a temporary workaround, consider restricting the use of large numbers in JSON input to minimize the risk of exploitation.