DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6G7G-W4F8-9C9X: GHSA-6G7G-W4F8-9C9X: Denial of Service via Negative Slice Index in github.com/buger/jsonparser

#security #cve #cybersecurity #ghsa

GHSA-6G7G-W4F8-9C9X: Denial of Service via Negative Slice Index in github.com/buger/jsonparser

Vulnerability ID: GHSA-6G7G-W4F8-9C9X
CVSS Score: 7.5
Published: 2026-03-18

A denial-of-service vulnerability exists in github.com/buger/jsonparser up to version 1.1.1. The Delete function fails to validate offset bounds when processing malformed JSON, leading to a runtime panic and immediate process termination.

TL;DR

Unvalidated offset calculations in jsonparser's Delete function cause a runtime panic with malformed JSON, enabling Denial of Service attacks.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-129
  • Attack Vector: Network (Remote)
  • CVSS v3.1: 7.5 (High)
  • Impact: Denial of Service (Process Termination)
  • Exploit Status: Proof of Concept (PoC) Available
  • KEV Status: Not Listed

Affected Systems

  • Go applications utilizing github.com/buger/jsonparser <= 1.1.1
  • API gateways and logging pipelines employing jsonparser.Delete() on unvalidated external input
  • jsonparser: <= 1.1.1

Exploit Details

  • GitHub Issue: Original issue report containing the PoC with the specific malformed JSON fragment.

Mitigation Strategies

  • Implement Go panic recovery middleware to isolate panics to individual goroutines.
  • Pre-validate incoming JSON payloads using the standard library's json.Valid() before passing them to jsonparser.
  • Apply a manual bounds-check patch to vendored instances of the jsonparser library.

Remediation Steps:

  1. Identify all endpoints that accept untrusted input and pass it to github.com/buger/jsonparser.Delete().
  2. Implement a defer func() { recover() }() block at the top-level handler of these endpoints.
  3. If acceptable for performance constraints, add an explicit validation step before jsonparser execution.
  4. Vendor the dependency and modify parser.go:729 to include the boundary check: if offset < 0 { return data }.

References

Read the full report for GHSA-6G7G-W4F8-9C9X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)