CVE-2021-42248: Duplicate Advisory: ReDoS via crafted JSON input in GJSON
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
5/25/2022
Updated
5/3/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/tidwall/gjson | go | < 1.9.3 | 1.9.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from using tidwall/match
's Match
function without complexity limits in three key areas: 1) The core match.Match
function itself from the dependency 2) The queryMatches
function handling %/!% operators 3) The parseObject
function processing wildcard paths. The patch replaced these with matchLimit
which adds step constraints. The high confidence comes from explicit patch changes showing replacement of Match
with MatchLimit
in these locations, and CWE-1333
's direct relation to regex complexity issues.