JSONTokener.next() uses a 0 return to indicate EOF. But 0 is also returned when an actual \0 character is read. In some circumstances that can be used to circumvent parser checks. Parsing untrusted input could then potentially lead to OutOfMemoryError even for quite small input strings.