Description
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The Delete function in the jsonparser Go library incorrectly handles offset values when parsing malformed JSON, allowing a negative slice index that triggers a runtime panic. This panic terminates the program, resulting in a denial of service. The faulty logic stems from improper input validation associated with CWE-1285.

Affected Systems

All releases of github.com/buger/jsonparser prior to the published fix are affected. Projects that embed the Delete function and accept untrusted JSON may be vulnerable. Based on the description, it is inferred that all releases before the fix are affected, and the exact version range is not specified in the advisory, so users should refer to the library’s release notes for the patched version.

Risk and Exploitability

The vulnerability has a CVSS base score of 7.5, indicating high impact. EPSS score is less than 1%, suggesting low probability of exploitation. It is not listed in the CISA KEV catalog. The faulty Delete function can be triggered by supplying crafted malformed JSON to any interface that uses the function. Based on the description, it is inferred that an attacker could cause a crash without needing elevated privileges.

Generated by OpenCVE AI on March 28, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of github.com/buger/jsonparser that includes the offset validation fix
  • If an update cannot be applied immediately, avoid using the Delete function with untrusted or externally supplied JSON
  • Add defensive checks in your application to catch potential panics or validate JSON before passing it to the library
  • Monitor application logs for panic events and ensure graceful error handling

Generated by OpenCVE AI on March 28, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6g7g-w4f8-9c9x Denial of service in github.com/buger/jsonparser
History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Buger
Buger jsonparser
Vendors & Products Buger
Buger jsonparser

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Title Denial of service in github.com/buger/jsonparser
References

Subscriptions

Buger Jsonparser
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-20T19:01:23.660Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32285

cve-icon Vulnrichment

Updated: 2026-03-30T14:06:20.581Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T20:16:12.197

Modified: 2026-03-30T15:16:27.963

Link: CVE-2026-32285

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T19:40:51Z

Links: CVE-2026-32285 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:27:52Z

Weaknesses