Migration to safe and more efficient JSON library

[plokhotnyuk]

Json4s is vulnerable under DoS/DoW attacks which exploit O(n^2) complexity of insertion into Scala's hash maps in case of colliding hash codes or parsing of JSON numbers.

Would you consider migration to a much safer and more efficient library like jsoniter-scala?

[gertjana]

Thanks for reporting this, of course, we would consider moving to a safer and more efficient library
but we would probably pick one, that is better supported in the open-source community.

[reinierl]

As JSON4S indeed seems not very intensely maintained, we'd probably pick something else if we'd had to write this library today. For now it works though and these issues don't seem serious enough to warrant an overhaul to a different JSON library. So I'm closing this ticket for now.

Note also that OCPP is typically used between systems that trust each other. This kind of issue seems more urgent for people who host public web APIs to me.