Login Sign Up

CVE-2024-25713

8.6 HIGH
Remote Code Execution

📋 TL;DR

CVE-2024-25713 is a double-free vulnerability in yyjson library versions through 0.8.0 that can lead to memory corruption and potentially remote code execution. This affects any application using vulnerable yyjson versions to parse JSON data. Attackers could exploit this by sending specially crafted JSON input to trigger the double-free condition.

💻 Affected Systems

Products:
  • yyjson
  • Any software using yyjson library
Versions: All versions through 0.8.0
Operating Systems: All platforms where yyjson is used
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the pool_free function of yyjson's custom memory allocator when processing JSON data.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Yyjson by Ibireme

View all CVEs affecting Yyjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with attacker gaining full control of the affected system, potentially leading to data theft, system compromise, or lateral movement.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unpredictable behavior, with RCE being possible but requiring specific conditions.

🟢

If Mitigated

If proper input validation and memory protection mechanisms are in place, impact may be limited to application crashes or reduced to denial of service.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires sending malicious JSON input to trigger the double-free condition. The advisory suggests RCE is possible 'in some cases' but specific conditions are not detailed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: yyjson 0.9.0

Vendor Advisory: https://github.com/ibireme/yyjson/security/advisories/GHSA-q4m7-9pcm-fpxh

Restart Required: Yes

Instructions:

1. Update yyjson to version 0.9.0 or later. 2. Recompile any applications using yyjson with the updated library. 3. Restart affected services or applications.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for JSON data before passing to yyjson parser.

Memory Protection Mechanisms

linux

Enable address space layout randomization (ASLR) and other memory protection features to reduce RCE risk.

sysctl -w kernel.randomize_va_space=2

🧯 If You Can't Patch

  • Implement network-level controls to restrict JSON input to trusted sources only.
  • Deploy web application firewall (WAF) rules to detect and block potentially malicious JSON payloads.

🔍 How to Verify

Check if Vulnerable:

Check if yyjson version is 0.8.0 or earlier. For compiled applications, check linked library versions or consult application documentation.

Check Version:

For source installations: check yyjson.h for YYJSON_VERSION_MAJOR/MINOR/PATCH macros. For package managers: rpm -q yyjson or dpkg -l | grep yyjson

Verify Fix Applied:

Verify yyjson version is 0.9.0 or later. Test JSON parsing functionality to ensure no crashes occur with various inputs.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults or memory corruption errors
  • Unexpected termination of JSON parsing services
  • Memory allocation/deallocation errors in application logs

Network Indicators:

  • Unusual JSON payloads being sent to services
  • Repeated connection attempts with malformed JSON data

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "double free" OR "memory corruption") AND process="*yyjson*" OR "*json*"

📊 Metadata

CVE ID: CVE-2024-25713
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CWE: CWE-94
Published: February 29, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25713, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)