Hutool Hutool

  1. Vendors
  2. Hutool
  3. Hutool

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Hutool.

By the Year

In 2026 there have been 0 vulnerabilities in Hutool. Hutool did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 0 0.00
2023 9 8.48
2022 5 7.96
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 1 7.50

It may take a day or so for new Hutool vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Hutool Security Vulnerabilities

Stack Overflow in NumberUtil.toBigDecimal (hutool-core v5.8.23)
CVE-2023-51080 7.5 - High - December 27, 2023

The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow.

Memory Corruption

DoS via infinite loop in HutoolCore v5.8.23 (StrSplitter splitByRegex)
CVE-2023-51075 7.5 - High - December 27, 2023

hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service (DoS) via manipulation of the first two parameters.

Infinite Loop

Hutool 5.8.21 JSONUtil Buffer Overflow
CVE-2023-42278 7.5 - High - September 08, 2023

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

Classic Buffer Overflow

Hutool 5.8.21 Buffer Overflow in jsonObject.putByPath
CVE-2023-42277 9.8 - Critical - September 08, 2023

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

Classic Buffer Overflow

Hutool v5.8.21 Buffer Overflow via jsonArray
CVE-2023-42276 9.8 - Critical - September 08, 2023

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

Classic Buffer Overflow

JSONUtil 5.0 DoS via Cyclic Dependencies (CVE-2023-34615)
CVE-2023-34615 7.5 - High - June 14, 2023

An issue was discovered JSONUtil thru 5.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Memory Corruption

Hutool prior to 5.8.17 Info Disclosure via File.createTempFile()
CVE-2023-33695 7.1 - High - June 13, 2023

Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.

Incorrect Permission Assignment for Critical Resource

Dromara Hutool <5.8.21 SQLi via Aviator Template Engine
CVE-2023-24163 9.8 - Critical - January 31, 2023

SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine.

SQL Injection

Dromara Hutool v5.8.11 Deserialization via XmlUtil.readObject (CVE-2023-24162)
CVE-2023-24162 9.8 - Critical - January 31, 2023

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.

Marshaling, Unmarshaling

HuTool <5.8.10 ZipUtil Remote Resource Exhaustion CVE-2022-4565
CVE-2022-4565 7.5 - High - December 16, 2022

A vulnerability classified as problematic was found in Dromara HuTool up to 5.8.10. This vulnerability affects unknown code of the file cn.hutool.core.util.ZipUtil.java. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.8.11 is able to address this issue. It is recommended to upgrade the affected component. VDB-215974 is the identifier assigned to this vulnerability.

Improper Resource Shutdown or Release

hutool-json 5.8.10: JSONTokener.nextValue overflow via crafted JSON/XML (DoS)
CVE-2022-45690 7.5 - High - December 13, 2022

A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Memory Corruption

Hutool-JSON v5.8.10 OOM Error
CVE-2022-45689 7.5 - High - December 13, 2022

hutool-json v5.8.10 was discovered to contain an out of memory error.

Memory Corruption

Stack Overflow in hutooljson 5.8.10 XML.toJSONObject causing DoS
CVE-2022-45688 7.5 - High - December 13, 2022

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Memory Corruption

Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation.
CVE-2022-22885 9.8 - Critical - February 16, 2022

Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation.

Improper Certificate Validation

The unzip function in ZipUtil.java in Hutool before 4.1.12
CVE-2018-17297 7.5 - High - September 21, 2018

The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within a ZIP archive.

Directory traversal

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Hutool or by Hutool? Click the Watch button to subscribe.

Hutool
Vendor

Hutool
Product

subscribe