If I'm not mistaken, this is bad: it enables a trivial DOS attack against any web service that accepts floating-point input. (For instance, one of the commenters on the OP noted that Google Spreadsheets backends are vulnerable.) This includes, as a special case, any service that accepts JSON input.
I expect a lot of teams will have to rush out a patch. I feel for them...
Incidentally, I haven't seen a simple workaround posted anywhere. Has anyone seen a regexp or code snippet that can identify strings which would trigger this bug?
Because JSON can include floating-point numbers. If you pass { foo: 2.2250738585072012e-308 } to any JSON service, I'd expect it to invoke Double.parseDouble(...) as part of its input processing, and trip over the bug. This would probably occur before any type checking of the input, and thus would probably work even for a service which does not expect floating-point inputs.
Right -- when I said "any service that accepts JSON input", I meant "any JVM-based service that accepts JSON input". I thought the JVM qualification would be clear from the context of this thread, apologies if it wasn't.
I expect a lot of teams will have to rush out a patch. I feel for them...
Incidentally, I haven't seen a simple workaround posted anywhere. Has anyone seen a regexp or code snippet that can identify strings which would trigger this bug?