GrepRules
Sign inPublish rule
Explore/cve-2026-32128-insecure-manual-json-escaping

CVE-2026-32128: Insecure Manual Json Escaping

Using manual `.replace()` calls to escape double quotes for JSON string substitution is vulnerable to JSON injection. A regex like `/(?<!\\)"/g` or `/"/g` without properly handling backslashes allows an attacker to inject a backslash and bypass the quote escape (e.g., `\"`). When parsed, the injected backslash escapes itself, leaving the quote to prematurely

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0TS
greprules fetch cve-2026-32128-insecure-manual-json-escaping --engine opengrep

Description

Using manual `.replace()` calls to escape double quotes for JSON string substitution is vulnerable to JSON injection. A regex like `/(?<!\\)"/g` or `/"/g` without properly handling backslashes allows an attacker to inject a backslash and bypass the quote escape (e.g., `\"`). When parsed, the injected backslash escapes itself, leaving the quote to prematurely

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
146 downloads0 direct146 via packs
· 0 stars · Quality score 73How quality works
Included packs
2 packs