CVE-2026-32285
Denial of Service via JSON Offset Validation Flaw in Go Delete Function
Publication date: 2026-03-26
Last updated on: 2026-04-21
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsonparser_project | jsonparser | to 1.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) attack. When an application uses the vulnerable Delete function to process JSON data, an attacker can craft malformed JSON input that triggers the negative slice index and causes the application to panic and crash.
As a result, any service or application relying on this function to manipulate JSON from untrusted or external sources can be made unavailable by a single malicious payload.
Can you explain this vulnerability to me?
The vulnerability identified as CVE-2026-32285 affects the Delete function in the Go package github.com/buger/jsonparser. This function fails to properly validate offsets when processing malformed JSON input. Specifically, it can compute a negative slice index (such as -1) without checking if the index is valid. Using this negative index causes a runtime panic due to a slice bounds out of range error.
This panic occurs because the Delete function attempts to slice the JSON data at an invalid negative offset, leading to a crash of the application using this function.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected application or system component that uses the github.com/buger/jsonparser package, specifically the Delete() function, with crafted malformed JSON input that triggers the runtime panic.
A minimal input known to trigger the panic is the JSON string: ""0":"0":". Using this input in a test can help identify if the application is vulnerable.
To detect the vulnerability, you can run the application or service with debugging or logging enabled and send malformed JSON payloads similar to the minimal input. Observe if the application crashes with a runtime panic error mentioning "slice bounds out of range [-1:]" or references parser.go line 729.
No specific ready-made commands are provided in the resources, but a general approach is to use tools like curl or custom scripts to send malformed JSON payloads to the service endpoints that use the vulnerable Delete() function.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service (DoS) by crashing applications that use the affected Delete() function when processing malformed JSON input.
However, there is no information provided about any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
As of the report date, there are no known fixed versions or patches available for this vulnerability.
Immediate mitigation steps include:
- Avoid processing untrusted or malformed JSON input with the Delete() function of the github.com/buger/jsonparser package.
- Implement input validation or sanitization to ensure JSON data is well-formed before passing it to the vulnerable function.
- Consider adding error handling or recovery mechanisms around calls to Delete() to prevent the entire application from crashing due to a panic.
- Monitor application logs for runtime panics related to slice bounds errors and respond accordingly.
Stay updated with the official Go vulnerability database and the github.com/buger/jsonparser repository for any forthcoming patches or fixes.