There's a CVE for hjson - a dependency of Elide:
https://nvd.nist.gov/vuln/detail/CVE-2023-34620

I've done some digging through the code - it seems this is only used in the config model stuff. Is there any exposure on the JsonAPI request processing side? From what I can see, no - there's no hjson support and it is all jackson databind. But I wanted to get confirmation from the experts.

Is there any API by which an external bad actor could feed hjson content to Elide?

(Not sure it matters but I'm not using analytic queries).

Nothing in core Elide leverages HJSON (JSON-API or GraphQL). HJSON is only for Analytics. HJSON configuration is normally read only at boot. There is an experimental store (config store) with models that would allow upload/download of HJSON configuration for analytics where this might be an issue, although this was not a production ready feature.

That's that's what it looked like to me - I just wanted to confirm I wasn't over looking anything.