CVE-2023-50472 – CVE-2023-50472 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2023-50472?

CVE-2023-50472 has a CVSS score of 7.5 (HIGH). CVE-2023-50472 is a NULL pointer dereference vulnerability in cJSON v1.7.16 that can cause segmentation faults when the cJSON_SetValuestring function is called with invalid parameters. This affects any application using the vulnerable cJSON library version for JSON parsing. Attackers can potentially crash applications or achieve denial of service.

📋 TL;DR

CVE-2023-50472 is a NULL pointer dereference vulnerability in cJSON v1.7.16 that can cause segmentation faults when the cJSON_SetValuestring function is called with invalid parameters. This affects any application using the vulnerable cJSON library version for JSON parsing. Attackers can potentially crash applications or achieve denial of service.

💻 Affected Systems

Products:

cJSON library
Applications embedding cJSON v1.7.16

Versions: cJSON v1.7.16 specifically

Operating Systems: All platforms where cJSON is used (Linux, Windows, macOS, embedded systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that call cJSON_SetValuestring with invalid parameters. The vulnerability is in the library itself, not dependent on specific application configurations.

📦 What is this software?

Cjson by Davegamble

View all CVEs affecting Cjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service, potentially disrupting critical services or enabling further exploitation through crash analysis.

🟠

Likely Case

Application segmentation fault causing service interruption and potential data loss in affected processes.

🟢

If Mitigated

Controlled application termination with proper error handling and logging, minimizing service impact.

🌐 Internet-Facing: MEDIUM - While exploitation requires specific conditions, internet-facing applications using cJSON could be targeted for DoS attacks.

🏢 Internal Only: LOW - Internal systems are less likely to be targeted, but the vulnerability could still cause service disruptions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to control input to cJSON_SetValuestring. The GitHub issue contains demonstration code showing how to trigger the segmentation fault.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: cJSON v1.7.17 and later

Vendor Advisory: https://github.com/DaveGamble/cJSON/issues/803

Restart Required: Yes

Instructions:

1. Update cJSON to version 1.7.17 or later. 2. Recompile any applications using cJSON. 3. Restart affected services. 4. For embedded systems, rebuild firmware with updated library.

🔧 Temporary Workarounds

Input validation wrapper

all

Add parameter validation before calling cJSON_SetValuestring to ensure pointers are valid

// Example C code wrapper:
int safe_cJSON_SetValuestring(cJSON *item, const char *valuestring) {
    if (item == NULL || valuestring == NULL) return 0;
    return cJSON_SetValuestring(item, valuestring);
}

🧯 If You Can't Patch

Implement strict input validation for all cJSON_SetValuestring calls
Use application-level monitoring to detect and restart crashed processes

🔍 How to Verify

Check if Vulnerable:

Check cJSON version in source code or compiled binaries: grep -r 'cJSON_VERSION' . or check library headers for version 1.7.16

Check Version:

grep '#define CJSON_VERSION_MAJOR\|CJSON_VERSION_MINOR\|CJSON_VERSION_PATCH' cJSON.h

Verify Fix Applied:

Verify cJSON version is 1.7.17 or later and test with the proof-of-concept from GitHub issue #803

📡 Detection & Monitoring

Log Indicators:

Segmentation fault (core dumped) messages
Application crash logs mentioning cJSON
Unexpected process termination

Network Indicators:

Sudden service unavailability on ports using cJSON
Increased error responses from affected services

SIEM Query:

process.name:cjson AND event.type:crash OR error.message:"segmentation fault"

📊 Metadata

CVE ID: CVE-2023-50472

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: December 14, 2023

Last Updated: July 22, 2025

🔗 References

https://github.com/DaveGamble/cJSON/issues/803 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/DaveGamble/cJSON/issues/803 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50472, you might also want to check these: