GHSA-QHWP-454G-2GV4 Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references. Original Descripton The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function lib/sanitize.js when...

CVE-2025-59364

The express-xss-sanitizer aka Express XSS Sanitizer package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body...

GHSA-Q86R-GWQC-JX85 Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed...

AZL-67079 CVE-2025-40928 affecting package perl-JSON-XS for versions less than 4.04-1

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact...

DEBIAN-CVE-2025-40928

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact...

CVE-2025-40930

JSON::SIMD (Perl) is affected by an integer buffer overflow in versions before 1.07, leading to a segfault when parsing crafted JSON and enabling denial-of-service or related impact. Red Hat and other sources corroborate the vulnerability in JSON::SIMD prior to 1.07; the issue arises from a buffe...

CVE-2025-40929 Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact...

GO-2025-3924 HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault

HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault...

MetaCPAN JSON::XS 安全漏洞

MetaCPAN JSON::XS is a JSON codec module in the Perl language from the MetaCPAN Foundation. A security vulnerability exists in MetaCPAN JSON::XS versions prior to 4.04 that stems from an integer buffer overflow that could lead to a denial of service attack...

Errors returned from JSON marshaling may break template escaping in html/template

...

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

...

PT-2025-35723

Name of the Vulnerable Software and Affected Versions cJSON versions 1.5.0 through 1.7.18 Description cJSON versions 1.5.0 through 1.7.18 contain an out-of-bounds access issue within the decode array index from pointer function located in cJSON Utils.c. This allows attackers to bypass array bound...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to an improper check of complex JSON in the HTTP handler. An attacker can cause excessive memory and CPU consumption by submitting specially-crafted payloads that meet the default...

PT-2025-34744

Name of the Vulnerable Software and Affected Versions: egOS WebGUI affected versions not specified Description: The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass...

Linux Distros Unpatched Vulnerability : CVE-2018-1000539

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Nov json-jwt version = 0.5.0 && = 0.5.0 && 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM...

CVE-2025-6183

The StrongDM macOS client incorrectly processed JSON-formatted messages. Attackers could potentially modify macOS system configuration by crafting a malicious JSON message...

CVE-2025-51606

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT JSON Web Token creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical...

sha.js is missing type checks leading to hash rewind and passing on crafted data

Summary This is the same as GHSA-cpq7-6gpm-g9rc but just for sha.js, as it has its own implementation. Missing input type checks can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state including turning a tagged hash into an...

ROS-20250821-02

A vulnerability in the BinaryStreamDriver component of the Java library for converting objects to XML or JSON XStream format is related to a buffer overflow on the stack from a manipulated binary input stream. Exploitation of the vulnerability could allow an attacker acting remotely to perform a...

Linux Distros Unpatched Vulnerability : CVE-2023-5072

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amoun...