Skip to content

Fixes CVE-2026-59171#1065

Open
Damien-Warren-206 wants to merge 1 commit into
stleary:masterfrom
Damien-Warren-206:master
Open

Fixes CVE-2026-59171#1065
Damien-Warren-206 wants to merge 1 commit into
stleary:masterfrom
Damien-Warren-206:master

Conversation

@Damien-Warren-206

@Damien-Warren-206 Damien-Warren-206 commented Jul 3, 2026

Copy link
Copy Markdown

Description:
See #1063
Fixed JSONObject and XML to check length before calling stringToNumber()

Note:

JSONArray and JSONTokener did not need to be fixed because all code goes through JSONObject. Added multiple unit tests to test the new functionality.

@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.3% Duplication on New Code

See analysis details on SonarQube Cloud

@stleary

stleary commented Jul 3, 2026

Copy link
Copy Markdown
Owner

What problem does this code solve?
Don't try to parse JSON strings consisting of numbers with more than 1000 chars. This is a new hard-coded limit. By default, these values will be parsed as strings. A future fix may make the limit configurable.

Does the code still compile with Java6?
Yes

Risks
Low.
This is a behavioral change in response to a CVE

Changes to the API?
No

Will this require a new release?
Yes

Should the documentation be updated?
No

Does it break the unit tests?
No, new unit tests were added.

Was any code refactored in this commit?
No

Review status
APPROVED

Starting 3-day comment window

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants