GitHub JSONparser Negative Slice Index Panic Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the GitHub JSONparser library, specifically in version 1.1.1. The issue arises in the Delete function, which improperly validates offsets when handling malformed JSON input. This flaw can result in a negative slice index, causing a runtime panic and crashing the application. Services that use the Delete function with untrusted JSON data are susceptible to this vulnerability.

Impact

Exploitation of this vulnerability leads to a runtime panic caused by a negative slice index, which crashes the application. According to the Go Vulnerability Database, this vulnerability has a high severity rating.

Reproduction

To reproduce this vulnerability, use version 1.1.1 of the GitHub JSONparser library. Call the Delete function with malformed JSON input that creates a negative offset. The function will panic with a slice bounds error, indicating that the input was not properly validated.

Remediation

Users can upgrade to GitHub JSONparser version 1.1.2, which addresses this vulnerability.