Description

The ArduinoJson’s parser contains a recursive function that is called each time an opening brace ({) or opening bracket ([) appears in the input. In other words, each object/array nesting level causes a recursive call.

This recursive call is a security risk because an attacker could craft a JSON input with many opening brackets to cause a stack overflow.

To protect against this security risk, ArduinoJson limits the number of nesting levels. The macro ARDUINOJSON_DEFAULT_NESTING_LIMIT defines the default nesting limit. It is set to 10 by default, but can be overridden.

The default value changed in ArduinoJson 6.19

Example

If your JSON input contains more nesting levels that allowed, you have two options.

The first option is to define the macro to a higher value, which changes the nesting limit for the whole program. Here is an example:

#define ARDUINOJSON_DEFAULT_NESTING_LIMIT 20
#include <ArduinoJson.hpp>

The second option is to use the optional parameter of deserializeJson(), which changes the nesting limit for one call only. Here is an example:

deserializeJson(doc, input, DeserializationOption::NestingLimit(20));

Everything we saw in this page equally applies to MessagePack.

See also