CVE-2026-32285 Overview
CVE-2026-32285 is a denial of service vulnerability in the jsonparser Go library. The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack against applications using this library.
Critical Impact
Applications using the vulnerable Delete function can be crashed by attackers supplying malformed JSON input, resulting in service disruption and potential availability issues.
Affected Products
- buger/jsonparser Go library (affected versions not specified)
- Go applications utilizing the jsonparser library's Delete function
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-32285 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-32285
Vulnerability Analysis
This vulnerability affects the Delete function in the jsonparser Go library. The function is designed to remove elements from JSON data structures but contains insufficient validation logic for offset calculations. When the function processes specially crafted malformed JSON input, it can calculate a negative offset value that is subsequently used as a slice index.
In Go, attempting to access a slice with a negative index causes a runtime panic, which immediately terminates the goroutine or application if not properly recovered. This behavior can be exploited by attackers to cause denial of service conditions in any application that uses the vulnerable Delete function to process untrusted JSON input.
Root Cause
The root cause of this vulnerability is improper input validation in the offset calculation logic within the Delete function. When the function encounters malformed JSON structures, the offset computation can result in negative values. The code lacks boundary checks to ensure that calculated offsets remain within valid positive ranges before using them as slice indices.
This is classified as an Input Validation Error vulnerability where the function does not adequately sanitize or validate input before performing critical operations.
Attack Vector
An attacker can exploit this vulnerability by providing malformed JSON input to an application that uses the vulnerable Delete function. The attack does not require authentication or special privileges—only the ability to submit JSON data that will be processed by the vulnerable function.
The exploitation flow involves:
- The attacker identifies an application endpoint or component that processes JSON using the jsonparser library
- The attacker crafts malformed JSON input designed to trigger negative offset calculation
- When the application calls the Delete function with this input, a negative slice index is computed
- Go's runtime panics when attempting to access the slice with the negative index
- Unless the application has panic recovery mechanisms, the process terminates
For technical details and proof of concept information, see the GitHub Issue #275 in the jsonparser repository.
Detection Methods for CVE-2026-32285
Indicators of Compromise
- Application crashes with Go runtime panic messages referencing negative slice index errors
- Log entries showing panic recovery in handlers processing JSON data
- Increased application restarts or service availability issues
- Error logs containing stack traces pointing to the jsonparser library's Delete function
Detection Strategies
- Monitor application logs for Go runtime panic messages containing "index out of range" or "negative slice index" errors
- Implement application-level monitoring to detect abnormal restart patterns or crash loops
- Use static code analysis tools to identify usage of the vulnerable jsonparser.Delete function in codebases
- Deploy dependency scanning tools to identify projects using vulnerable versions of the jsonparser library
Monitoring Recommendations
- Configure alerting for application crash events and panic recovery occurrences
- Implement health checks that can detect when services become unavailable due to crashes
- Monitor JSON parsing error rates for unusual spikes that may indicate exploitation attempts
- Review the Go.dev Vulnerability Report for updated guidance and version information
How to Mitigate CVE-2026-32285
Immediate Actions Required
- Audit your Go projects for usage of the jsonparser library, specifically the Delete function
- Review the GitHub Vulndb Issue #4514 for patched version information
- Implement input validation on JSON data before passing it to the Delete function
- Consider adding panic recovery wrappers around code sections that process untrusted JSON input
Patch Information
Refer to the official GitHub Issue #275 for patch status and updates from the maintainers. Monitor the Go.dev Vulnerability Report for information about fixed versions and upgrade guidance.
Workarounds
- Implement robust input validation to reject malformed JSON before it reaches the Delete function
- Wrap calls to the Delete function with Go's recover() mechanism to prevent application crashes
- Consider using alternative JSON parsing libraries that have undergone security auditing
- Implement rate limiting on endpoints that process JSON to limit potential denial of service impact
The following example demonstrates implementing panic recovery as a temporary mitigation:
# Panic recovery wrapper for jsonparser.Delete
func safeDelete(data []byte, keys ...string) (result []byte, err error) {
defer func() {
if r := recover(); r != nil {
err = fmt.Errorf("jsonparser panic recovered: %v", r)
result = nil
}
}()
result = jsonparser.Delete(data, keys...)
return result, nil
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
