{"ecosystem":"go","package":"github.com/tidwall/gjson","version":null,"bugs":[{"id":1236,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.6.5","bug_id":"osv:GHSA-wjm3-fq3r-5x46","title":"github.com/tidwall/gjson is vulnerable to Denial of service","description":"GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36066","labels":["CVE-2020-36066","GO-2022-0957"],"created_at":"2026-04-19T04:32:38.646030+00:00","updated_at":"2026-04-19T04:32:38.646030+00:00"},{"id":1235,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.6.4","bug_id":"osv:GHSA-w942-gw6m-p62c","title":"Denial of service in GJSON","description":"GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON. Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35380","labels":["CVE-2020-35380","GO-2021-0059"],"created_at":"2026-04-19T04:32:38.645581+00:00","updated_at":"2026-04-19T04:32:38.645581+00:00"},{"id":1234,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.9.3","bug_id":"osv:GHSA-ppj4-34rq-v8j9","title":"github.com/tidwall/gjson Vulnerable to REDoS attack","description":"GJSON is a Go package that provides a fast and simple way to get values from a json document. GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42836","labels":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GO-2021-0265"],"created_at":"2026-04-19T04:32:38.645106+00:00","updated_at":"2026-04-19T04:32:38.645106+00:00"},{"id":1233,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.6.6","bug_id":"osv:GHSA-p64j-r5f4-pwwx","title":"Improper Validation of Array Index in GJSON","description":"GJSON < 1.6.6 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36067","labels":["CVE-2020-36067","GO-2021-0054"],"created_at":"2026-04-19T04:32:38.643792+00:00","updated_at":"2026-04-19T04:32:38.643792+00:00"},{"id":1240,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.6.5","bug_id":"osv:GO-2022-0957","title":"Denial of service via maliciously crafted JSON in github.com/tidwall/gjson","description":"A maliciously crafted JSON input can cause a denial of service attack.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc","labels":["CVE-2020-36066","GHSA-wjm3-fq3r-5x46"],"created_at":"2026-04-19T04:32:38.647901+00:00","updated_at":"2026-04-19T04:32:38.647901+00:00"},{"id":1239,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.9.3","bug_id":"osv:GO-2021-0265","title":"Denial of service via maliciously crafted path in github.com/tidwall/gjson","description":"A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96","labels":["CVE-2021-42248","CVE-2021-42836","GHSA-c9gm-7rfj-8w5h","GHSA-ppj4-34rq-v8j9"],"created_at":"2026-04-19T04:32:38.647394+00:00","updated_at":"2026-04-19T04:32:38.647394+00:00"},{"id":1238,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.6.4","bug_id":"osv:GO-2021-0059","title":"Panic due to improper input validation in Get in github.com/tidwall/gjson","description":"Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc","labels":["CVE-2020-35380","GHSA-w942-gw6m-p62c"],"created_at":"2026-04-19T04:32:38.646921+00:00","updated_at":"2026-04-19T04:32:38.646921+00:00"},{"id":1237,"ecosystem":"go","package_name":"github.com/tidwall/gjson","affected_version":null,"fixed_version":"1.6.6","bug_id":"osv:GO-2021-0054","title":"Panic due to improper input validation in ForEach in github.com/tidwall/gjson","description":"Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b","labels":["CVE-2020-36067","GHSA-p64j-r5f4-pwwx"],"created_at":"2026-04-19T04:32:38.646451+00:00","updated_at":"2026-04-19T04:32:38.646451+00:00"}],"total":8,"_cache":"miss"}