[jimktrains2]

> This looks like it requires specially crafted code, therefore not a security issue.

I'm not sure how I feel about such a response. Many exploits require odd, but valid code, and more often than not it exists out there.

Also, it feels weird for this to be tagged as a JSON issue?

[_ea1k]

Basically they don't consider the engineer exploiting the interpreter to be a security vulnerability. That seems a bit dubious, but I can see where they are coming from in treating the script author as a trusted party.