There are vulnerability issues with JSON if the client-side script uses eval to recreate the JS object instead of a dedicated JSON parser.

Also, I don't think JSON does require any kind of file-caching, does it? I thought it was just a string?

The JSON exploits are more to do with executing malicious code on the client than the server. If you have an AJAX-enabled community-content web app which uses JSON to transport data, and you can discover the object notation, you can replace chunks of it with executable Javascript which will then get eval'd on the client and could do all sorts of nasty stuff.

Again, making sure the stuff is properly escaped on the server before sending it prevents this kind of thing, but XML/SOAP fans would argue that it's better if the vulnerability doesn't exist at all.

Rendle's doing a better job of explaining this than I am.

Mr Rendle: Yes, the new stuff does look awesome. I'm officially converted from Microsoft hater to Microsoft lover. It's that good.