Important security update

Two days ago, GitHub user @xD0135 reported a major vulnerability that affects ArduinoJson’s parser.

The vulnerabity originates from a buffer overrun in the string-to-float conversion code. This bug can be triggered by sending a JSON document that contains a string with a large number of digits. It can be used to remotely crash a device and potentially read the device’s memory.

I urge you to update any program that is exposed to untrusted connections, such as a server connected to the Internet. To make the upgrade as easy as possible, I also published updates for old ArduinoJson versions:

• ArduinoJson 7.4.3
• ArduinoJson 7.3.2
• ArduinoJson 7.2.2
• ArduinoJson 6.21.6
• ArduinoJson 5.13.6

Please let me know if you need an update for another version.