Juergw

**Name of the Vulnerable Software and Affected Versions** Tink-cc versions prior to 2.1.3 **Description** The issue is related to a Denial of service vulnerability. An adversary can crash binaries using the `crypto::tink::JsonKeysetReader` in Tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object. Additionally, an adversary can crash binaries by providing an input containing many nested JSON objects, which may result in a stack overflow. **Recommendations** We recommend upgrading to version 2.1.3 or above. As a temporary workaround, consider restricting the use of the `crypto::tink::JsonKeysetReader` function until a patch is available. Avoid using inputs that are not encoded JSON objects or contain many nested JSON objects in the affected API endpoint until the issue is resolved.