Expected Behavior Violation Affecting davegamble/cjson package, versions [0,]
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-DAVEGAMBLECJSON-9802198
- published24 Apr 2025
- disclosed19 Apr 2025
- creditUnknown
Introduced: 19 Apr 2025
NewCVE-2023-26819 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Expected Behavior Violation in the form of the parse_number() function not complying with the JSON specification and failing on inputs longer than 64 bytes.
Note: The specification includes the following regarding the expected length of numbers:
This specification allows implementations to set limits on the range and precision of numbers accepted. Since software that implements IEEE 754-2008 binary64 (double precision) numbers [IEEE754] is generally available and widely used, good interoperability can be achieved by implementations that expect no more precision or range than these provide, in the sense that implementations will approximate JSON numbers within the expected precision. A JSON number such as 1E400 or 3.141592653589793238462643383279 may indicate potential interoperability problems, since it suggests that the software that created it expects receiving software to have greater capabilities for numeric magnitude and precision than is widely available.
Note that when such software is used, numbers that are integers and are in the range [-(2**53)+1, (2**53)-1] are interoperable in the sense that implementations will agree exactly on their numeric values.