Regular Expression Denial of Service

Overview Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation The parsejson package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively...

Microsoft Edge - JSON.parse Info Leak

Microsoft Edge - JSON.parse Info Leak var once = false; var a = 1; function f if!once a = new Array1, 2, 3; this2 = a; once = true; //alert"f " + this; return ; JSON.parse"1, 2, 4, 5", f; var n = new Numbera0; n = n 1; var s = n.toString16; n = new Numbera1; n = n 1; s = s + n.toString16; n.lengt...

Microsoft Edge - JSON.parse Info Leak Vulnerability

Exploit for windows platform in category dos / poc var once = false; var a = 1; function f if!once a = new Array1, 2, 3; this2 = a; once = true; //alert"f " + this; return ; JSON.parse"1, 2, 4, 5", f; var n = new Numbera0; n = n 1; var s = n.toString16; n = new Numbera1; n = n 1; s = s +...

Microsoft Browser Remote Code Execution (MS16-129: CVE-2016-7241)

A type confusion vulnerability has been reported in the Scripting Engines of Microsoft Edge and Internet Explorer. This vulnerability is due to improper access of objects in memory when the JSON.parse JavaScript function is called. A remote attacker could exploit this vulnerability by enticing th...

GitLab: Read files on application server, leads to RCE

The GitLab export upload feature contains a vulnerability that allows an attacker to read arbitrary files on a GitLab instance. This vulnerability is caused by the behaviour of JSON.parse, your error handling, and the possibility to reference a symbolic link in a GitLab export. When I started...

Design/Logic Flaw

Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method...

CVE-2015-4478

CVE-2015-4478 affects Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2. The issue arises when parsing JSON with JSON.parse and a reviver, which can redefine non-configurable properties on JavaScript objects and bypass the Same Origin Policy. Affected products: Firefox/ESR; root cause:...

CVE-2015-4478

Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method...

CVE-2015-4478

Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method...

Updated nodejs package fixes security vulnerabilities

Updated nodejs package fixes security vulnerabilities: A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and...

CVE-2013-4164

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service segmentation fault and possibly execute arbitrary code via a string that is converted to...