Skip to content

[GHSA-493p-pfq6-5258] json-smart Uncontrolled Recursion vulnerability#8697

Open
oswaldobapvicjr wants to merge 1 commit into
oswaldobapvicjr/advisory-improvement-8697from
oswaldobapvicjr-GHSA-493p-pfq6-5258
Open

[GHSA-493p-pfq6-5258] json-smart Uncontrolled Recursion vulnerability#8697
oswaldobapvicjr wants to merge 1 commit into
oswaldobapvicjr/advisory-improvement-8697from
oswaldobapvicjr-GHSA-493p-pfq6-5258

Conversation

@oswaldobapvicjr

Copy link
Copy Markdown

Updates

  • References
  • Source code location

Comments

Request: Withdraw Security Advisory (Published in Error)

Reason for Request:
This advisory (GHSA-493p-pfq6-5258) was originally published on my repository (oswaldobapvicjr/jsonmerge) by me in error, and I would like to request its withdrawal. It should have been reported under netplex/json-smart-v2 which is the correct repository as described in the Advisory details and the underlying CVE.

Technical Context:

  • The underlying vulnerability (CVE-2023-1370) belongs strictly to the third-party parser net.minidev:json-smart.
  • In oswaldobapvicjr/jsonmerge, this dependency is explicitly marked as <optional>true</optional> in the Maven POM.
  • Because jsonmerge is a provider-agnostic utility library, it does not package, bundle, or transitively force json-smart onto consuming applications.
  • Marking this as an active vulnerability of jsonmerge is causing false positives for downstream consumers who do not even pull in the affected json-smart package.

As the repository owner and the publisher of this advisory, I kindly request the GitHub Curation Team to withdraw this GHSA from my repository oswaldobapvicjr/jsonmerge

@github

github commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Hi there @oswaldobapvicjr! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions Bot changed the base branch from main to oswaldobapvicjr/advisory-improvement-8697 July 14, 2026 02:15
@oswaldobapvicjr

Copy link
Copy Markdown
Author

Hi GitHub Security Team!

I would appreciate it if the curation team could approve this improvement and officially withdraw/retract the global advisory to prevent further false positives for the community.

Additionally, could you please guide me on how I can completely withdraw or remove this advisory from my specific repository's Security tab as well? I currently do not see an option to delete or withdraw it from my end.

Thank you for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants