Last Modified: Feb 13, 2026
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
21.0.0.1
Opened: Feb 13, 2026 Severity: 3-Major
The JSON_REQUEST_ERROR event is not triggered for certain invalid JSON payloads that should be rejected according to RFC 8259. Invalid JSON patterns that are NOT caught include: Trailing commas in objects: {"mystring": "addcomma",} Nested objects with missing values: {"nested": {"missing": }} Leading zeros in numbers: {"number": 01234} Duplicate keys: {"duplicate": 1, "duplicate": 2} Trailing commas in arrays: {"tools": [{"name": "value"},]} Valid JSON patterns that ARE correctly rejected: Single quotes instead of double quotes: {"single": 'quotes'} Unquoted keys: {invalid: "no quotes on key"} Undefined values: {"bad_value": undefined} Incomplete JSON: {"incomplete": "missing closing brace"
1) The BIG-IP JSON profile parser is less strict than other JSON validation tools (e.g., jq, standard JSON parsers) 2) Applications relying on JSON_REQUEST_ERROR event to reject malformed JSON may allow invalid JSON payloads to pass through Security policies depending on strict JSON validation may be bypassed 3) Inconsistent behavior compared to industry-standard JSON validators
1) BIG-IP version 21.0.0 with JSON profile configured 2) Using new LTM iRule events (JSON_REQUEST_ERROR, JSON_REQUEST_MISSING) introduced in v21.0.0 3) Processing HTTP or HTTP/2 requests with JSON content
None
None