The extractFrom function in Internals/QuotedString.cpp in Arduino JSON before 4.5 allows remote attackers to cause a denial of service (crash) via a JSON string with a \ (backslash) followed by a terminator, as demonstrated by "\\\0", which triggers a buffer overflow and over-read.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| arduino_json_project | arduino_json | * |