CVE-2024-25713

Published: Feb 29, 2024Modified: Jun 17, 2026

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Exploitability: 3.9 / Impact: 4.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

yyjson through 0.8.0 has a double free, leading to remote code execution in some cases, because the pool_free function lacks loop checks. (pool_free is part of the pool series allocator, along with pool_malloc and pool_realloc.)

Affected (4)

Products: Ibireme: Yyjson · Fedoraproject: Fedora

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ibireme Yyjson	Up to 0.8.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38
Fedoraproject Fedora	Version 39
Fedoraproject Fedora	Version 40

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (11)

https://github.com/ibireme/yyjson/security/advisories/GHSA-q4m7-9pcm-fpxh

Source: cve@mitre.org

ExploitVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KQ67T4R7QEWURW5NMCCVLTBASL4ECHE/

Source: cve@mitre.org

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NNICQVIF7BRYFWYRL3HPVAJIPXN4OVTX/

Source: cve@mitre.org

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TKQPEREDUDKGYJMFNFDQVYCVLWDRO2Y2/

Source: cve@mitre.org

Mailing List

https://github.com/ibireme/yyjson/security/advisories/GHSA-q4m7-9pcm-fpxh