CVE-2025-57052

Published: Sep 3, 2025Modified: Nov 3, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.

Affected (1)

Products: Davegamble: Cjson

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Davegamble Cjson	From 1.5.0 to 1.7.18

Related CWEs

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References (2)

https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability

Source: cve@mitre.org

Exploit

https://lists.debian.org/debian-lts-announce/2025/09/msg00019.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.