diff --git a/spa/include/spa/utils/json.h b/spa/include/spa/utils/json.h
index 40d2f6aba..75f5b9a8c 100644
--- a/spa/include/spa/utils/json.h
+++ b/spa/include/spa/utils/json.h
@@ -137,12 +137,16 @@ static inline int spa_json_next(struct spa_json * iter, const char **value)
 				/* disallow bare escape */
 				goto error;
 			default:
+				/* allow bare ascii */
+				if (!(cur >= 32 && cur <= 126))
+					goto error;
 				*value = iter->cur;
 				iter->state = __BARE | flag;
 			}
 			continue;
 		case __BARE:
 			switch (cur) {
+			case '\0':
 			case '\t': case ' ': case '\r': case '\n':
 			case '"': case '#':
 			case ':': case ',': case '=': case ']': case '}':
@@ -153,8 +157,12 @@ static inline int spa_json_next(struct spa_json * iter, const char **value)
 			case '\\':
 				/* disallow bare escape */
 				goto error;
+			default:
+				/* allow bare ascii */
+				if (cur >= 32 && cur <= 126)
+					continue;
 			}
-			continue;
+			goto error;
 		case __STRING:
 			switch (cur) {
 			case '\\':
diff --git a/test/test-spa-json.c b/test/test-spa-json.c
index e06b2d3c5..ff46fe2e1 100644
--- a/test/test-spa-json.c
+++ b/test/test-spa-json.c
@@ -506,6 +506,19 @@ PWTEST(json_parse_fail)
 	spa_json_init(&it[0], json, strlen(json));
 	expect_parse_error(&it[0], json, 1, 3);
 
+	/* bad bare */
+	json = "\x01x";
+	spa_json_init(&it[0], json, strlen(json));
+	expect_parse_error(&it[0], json, 1, 1);
+
+	json = "x\x01";
+	spa_json_init(&it[0], json, strlen(json));
+	expect_parse_error(&it[0], json, 1, 2);
+
+	json = "\xc3\xa4";
+	spa_json_init(&it[0], json, strlen(json));
+	expect_parse_error(&it[0], json, 1, 1);
+
 	return PWTEST_PASS;
 }
 
@@ -890,6 +903,7 @@ PWTEST(json_data)
 		"n_structure_null-byte-outside-string.json",
 		"n_structure_object_with_trailing_garbage.json",
 		"n_structure_trailing_#.json",
+		"n_multidigit_number_then_00.json",
 
 		/* SPA JSON accepts more number formats */
 		"n_number_-01.json",