JSON-RPC / Serialization Attacks
Description#
A2A uses JSON-RPC 2.0 for message transport. Malformed or adversarial JSON-RPC messages can exploit parsing vulnerabilities in agent implementations. Attack vectors include oversized payloads that exhaust memory, deeply nested JSON structures that cause stack overflows during parsing, duplicate keys that resolve differently across implementations (enabling request smuggling), and type confusion where a string field contains a number or vice versa. While JSON-RPC is a mature protocol, agent-specific implementations often add custom deserialization for A2A message types (tasks, artifacts, Agent Cards) that may not handle adversarial input safely. Prototype pollution through JSON parsing is a particular risk in JavaScript-based agent implementations where __proto__ or constructor properties in JSON payloads can modify object prototypes.
References#
Legion Security analysis of JSON-RPC transport security in A2A protocol implementations
CSA MAESTRO identifying message parsing and serialization as an A2A attack surface
Framework Mappings#
Attack Structure#
Message Flow#
Indicators · match any#
YAML#
oatf: "0.1"
attack:
id: OATF-035
name: "JSON-RPC / Serialization Attacks"
version: 1
status: draft
created: 2026-03-18
author: "Oleg Mukhin"
description: |
A2A uses JSON-RPC 2.0 for message transport. Malformed or adversarial
JSON-RPC messages can exploit parsing vulnerabilities in agent
implementations. Attack vectors include oversized payloads that exhaust
memory, deeply nested JSON structures that cause stack overflows during
parsing, duplicate keys that resolve differently across implementations
(enabling request smuggling), and type confusion where a string field
contains a number or vice versa. While JSON-RPC is a mature protocol,
agent-specific implementations often add custom deserialization for A2A
message types (tasks, artifacts, Agent Cards) that may not handle
adversarial input safely. Prototype pollution through JSON parsing is