Interpretation Conflict Affecting github.com/segmentio/encoding/json package, versions <0.5.4


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMSEGMENTIOENCODINGJSON-15701709
  • published20 Mar 2026
  • disclosed19 Mar 2026
  • creditFrancesco Lacerenza

Introduced: 19 Mar 2026

CVE NOT AVAILABLE CWE-1395  (opens in a new tab)
CWE-436  (opens in a new tab)

How to fix?

Upgrade github.com/segmentio/encoding/json to version 0.5.4 or higher.

Overview

Affected versions of this package are vulnerable to Interpretation Conflict in the JSON parsing process. An attacker can manipulate message fields by appending null Unicode characters to keys, causing key collisions and overriding intended values by submitting specially crafted JSON objects with duplicate keys. This may allow bypassing of intermediary inspection or policy enforcement mechanisms and create inconsistencies across different SDK implementations.

CVSS Base Scores

version 4.0
version 3.1