Skip to content

[Security] JSON Pointer ~1 decoding error vulnerability inside decode_pointer_inplace #1050

Description

@eglonnnn

Title: JSON Pointer ~1 decoding error in cJSON decode_pointer_inplace


Description

A logic error in cJSON's JSON Pointer decoder. When decode_pointer_inplace() processes a ~1 escape sequence (which should decode to / per RFC 6901), it writes the decoded / to an incorrect position — decoded_string[1] instead of the current output cursor. As a result, ~1 is decoded as ~/ instead of /, causing cJSONUtils_ApplyPatches() to target the wrong key.

Impact

  • cJSONUtils_GetPointer() / cJSONUtils_ApplyPatches() resolve incorrect keys
  • Data integrity issue when processing JSON Patch operations from untrusted sources

Reproduction

All materials are available in my research repository:

https://github.com/eglonnnn/opensource-fuzz-vulnerability-research/tree/main/JSON%20Pointer%20~1%20decoding%20error%20in%20cJSON%20decode_pointer_inplace

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions