Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade json-smart from 2.5.1 to 2.5.2 fixing CVE-2024-57699 #2662

Open
julianladisch opened this issue Mar 9, 2025 · 0 comments
Open

Upgrade json-smart from 2.5.1 to 2.5.2 fixing CVE-2024-57699 #2662

julianladisch opened this issue Mar 9, 2025 · 0 comments
Assignees
@julianladisch
Labels
codequality dependencies Pull requests that update a dependency file fixed
Milestone
1.5.2

Comments

@julianladisch
Copy link
Contributor

julianladisch commented Mar 9, 2025
edited
Loading

For details about CVE-2024-57699 see
https://github.com/netplex/json-smart-v2/releases/tag/2.5.2

Karate uses new JsonSmartJsonProvider() that uses JSONParser.MODE_PERMISSIVE that includes LIMIT_JSON_DEPTH and therefore is not affected by CVE-2024-57699:

However, other projects that use Karate may directly call new JsonSmartJsonProvider(int parseMode) with one of the other default modes and are vulnerable.

Therefore Karate should ship the fixed version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julianladisch julianladisch

Labels
codequality dependencies Pull requests that update a dependency file fixed
Projects
None yet
Milestone
1.5.2
Development

No branches or pull requests
2 participants
@julianladisch @ptrthomas