High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Apr 21, 2026
CVE-2026-32285
CVE-2026-32285
Description
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/buger/jsonparserGo | < 1.1.2 | 1.1.2 |
Affected products
1Patches
1a69e7e01cd4aMerge pull request #276 from dbarrosop/master
2 files changed · +25 −3
parser.go+7 −3 modified@@ -731,7 +731,7 @@ func Delete(data []byte, keys ...string) []byte { if !array { if len(keys) > 1 { _, _, startOffset, endOffset, err = internalGet(data, keys[:lk-1]...) - if err == KeyPathNotFoundError { + if err != nil { // problem parsing the data return data } @@ -743,7 +743,11 @@ func Delete(data []byte, keys ...string) []byte { return data } keyOffset += startOffset - _, _, _, subEndOffset, _ := internalGet(data[startOffset:endOffset], keys[lk-1]) + var subEndOffset int + _, _, _, subEndOffset, err = internalGet(data[startOffset:endOffset], keys[lk-1]) + if err != nil { + return data + } endOffset = startOffset + subEndOffset tokEnd := tokenEnd(data[endOffset:]) tokStart := findTokenStart(data[:keyOffset], ","[0]) @@ -757,7 +761,7 @@ func Delete(data []byte, keys ...string) []byte { } } else { _, _, keyOffset, endOffset, err = internalGet(data, keys...) - if err == KeyPathNotFoundError { + if err != nil { // problem parsing the data return data }
parser_test.go+18 −0 modified@@ -227,6 +227,24 @@ var deleteTests = []DeleteTest{ path: []string{"test"}, data: ` {}`, }, + { + desc: "GO-2026-4514: malformed JSON without enclosing braces should not panic", + json: `"0":"0":`, + path: []string{"0"}, + data: `"0":"0":`, + }, + { + desc: "GO-2026-4514: malformed JSON with key but truncated value should not panic", + json: `{"a": `, + path: []string{"a"}, + data: `{"a": `, + }, + { + desc: "GO-2026-4514: malformed nested JSON with truncated value should not panic", + json: `{"a":{"b": `, + path: []string{"a", "b"}, + data: `{"a":{"b": `, + }, } var setTests = []SetTest{
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-6g7g-w4f8-9c9xghsaADVISORY
- github.com/buger/jsonparser/issues/275nvdIssue TrackingThird Party AdvisoryWEB
- github.com/golang/vulndb/issues/4514nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32285ghsaADVISORY
- pkg.go.dev/vuln/GO-2026-4514nvdThird Party AdvisoryWEB
- github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b0ghsaWEB
- github.com/buger/jsonparser/pull/276ghsaWEB
- github.com/buger/jsonparser/releases/tag/v1.1.2ghsaWEB
News mentions
0No linked articles in our index yet.