simd-json is vulnerable to Undefined Behavior
20
Low Risk
simd-json parses JSON structure with unsafe native and NEON SIMD stage-1 code. The NEON stage-1 path stores structural indexes with an alignment-assuming write into an under-aligned buffer, causing undefined behavior that can corrupt memory, and on runtime-detection builds without the portable feature the native fallback skips UTF-8 validation and treats invalid UTF-8 as a valid string. A zero-length buffer allocation also invokes undefined behavior. The fix switches to unaligned writes, adds a native UTF-8 pre-validation step before structural-bit detection, and avoids the zero-size allocation.
You are affected if you are using a version that falls within the vulnerable range.
simd-json is vulnerable to Undefined Behavior in versions 0.3.21 - 0.17.1.
Upgrade the simd-json library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant