-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/tidwall/gjson | go | < 1.6.6 | 1.6.6 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the unwrap function in gjson.go, which handles JSON array/object unwrapping. The commit diff shows a critical fix adding parentheses to enforce proper operator precedence in the bounds check. Without this fix, malformed short JSON strings (e.g., single '{') would pass the flawed condition and trigger a slice out-of-bounds error. The test case added in gjson_test.go (TestIssue196) directly targets this scenario. While public functions like Get are entry points, the root cause is the unwrap function's improper validation.