CVE-2024-31755 – CVE-2024-31755 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2024-31755?

CVE-2024-31755 has a CVSS score of 7.6 (HIGH). CVE-2024-31755 is a NULL pointer dereference vulnerability in cJSON v1.7.17 that can cause segmentation faults when the cJSON_SetValuestring function receives invalid parameters. This affects any application using the vulnerable cJSON library version for JSON parsing. Attackers can trigger crashes leading to denial of service.

📋 TL;DR

CVE-2024-31755 is a NULL pointer dereference vulnerability in cJSON v1.7.17 that can cause segmentation faults when the cJSON_SetValuestring function receives invalid parameters. This affects any application using the vulnerable cJSON library version for JSON parsing. Attackers can trigger crashes leading to denial of service.

💻 Affected Systems

Products:

cJSON library

Versions: v1.7.17 specifically

Operating Systems: All platforms where cJSON is used (Linux, Windows, macOS, embedded systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the cJSON_SetValuestring function with invalid parameters. Applications not using this function are not vulnerable.

📦 What is this software?

Cjson by Cjson Project

View all CVEs affecting Cjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potentially disrupting critical services that depend on JSON parsing functionality.

🟠

Likely Case

Application segmentation fault causing service interruption and potential data loss in active transactions.

🟢

If Mitigated

Controlled crash with minimal impact if proper error handling and monitoring are implemented.

🌐 Internet-Facing: MEDIUM - Exploitable if JSON parsing endpoints are exposed, but requires specific input manipulation.

🏢 Internal Only: LOW - Requires access to internal JSON parsing functionality and specific malformed input.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed JSON data to trigger the segmentation violation. No authentication needed if vulnerable endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.7.18 or later

Vendor Advisory: https://github.com/DaveGamble/cJSON/issues/839

Restart Required: Yes

Instructions:

1. Update cJSON to version 1.7.18 or later. 2. Recompile any applications using cJSON. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation wrapper

all

Add parameter validation before calling cJSON_SetValuestring

// Add NULL checks before calling cJSON_SetValuestring
if (object != NULL && string != NULL) {
    cJSON_SetValuestring(object, string);
}

🧯 If You Can't Patch

Implement strict input validation for all JSON parsing functions
Use application-level monitoring to detect and restart crashed processes

🔍 How to Verify

Check if Vulnerable:

Check cJSON version in source code or compiled library. Version 1.7.17 is vulnerable.

Check Version:

grep 'CJSON_VERSION' cJSON.h or check library documentation

Verify Fix Applied:

Verify cJSON version is 1.7.18 or later and test with malformed JSON input.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
Application crash logs
JSON parsing errors

Network Indicators:

Unusual JSON payloads to parsing endpoints
Repeated crash-inducing requests

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "SIGSEGV") AND process="*cjson*"

📊 Metadata

CVE ID: CVE-2024-31755

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-476

Published: April 26, 2024

Last Updated: June 30, 2025

🔗 References

https://github.com/DaveGamble/cJSON/issues/839 Exploit,Issue Tracking,Vendor Advisory
https://github.com/DaveGamble/cJSON/issues/839 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31755, you might also want to check these: