x/vulndb: potential Go vuln in github.com/buger/jsonparser

[athuljayaram]

Acknowledgement

• The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Panic in Delete() via slice bounds out of range [-1:] at parser.go:729
when given malformed JSON input. The Delete() function computes a
negative offset on certain malformed inputs and uses it directly as a
slice index without a lower-bound check, causing an immediate panic.
Affects v1.1.1 (latest). Distinct from CVE-2020-10675 (infinite loop
in same function) - this is a different failure class on a separate
code path not covered by that fix.

Affected Modules, Packages, Versions and Symbols

Module: github.com/buger/jsonparser
  Package: github.com/buger/jsonparser
  Versions:
    - Fixed: unknown (not yet patched)
  Symbols:
    - Delete

CVE/GHSA ID

No response

Fix Commit or Pull Request

No response

References

• Panic in Delete() via slice bounds out of range [-1:] on malformed input (v1.1.1) buger/jsonparser#275
• https://cyber.securityinfinity.com/buger-jsonparser-negative-slice-panic-dos-2026/

Additional information

Prior related CVE: CVE-2020-10675 was an infinite loop in Delete()
fixed in v1.1.0. This is a different failure class (negative slice
index panic) in the same function, on a code path not covered by
that fix. Minimal crashing input: data=""0":"0":", key="0".

[gopherbot]

Change https://go.dev/cl/755164 mentions this issue: data/reports: add GO-2026-4514