CVE-2025-57052 – cJSON versions 1.5.0 through 1.7.18 contain an ... (How to Fix)

Q: What is the severity of CVE-2025-57052?

CVE-2025-57052 has a CVSS score of 9.8 (CRITICAL). cJSON versions 1.5.0 through 1.7.18 contain an out-of-bounds access vulnerability in the decode_array_index_from_pointer function. This allows remote attackers to bypass array bounds checking and access restricted memory by sending malformed JSON pointer strings containing alphanumeric characters. Any application using vulnerable cJSON versions to parse untrusted JSON data is affected.

📋 TL;DR

cJSON versions 1.5.0 through 1.7.18 contain an out-of-bounds access vulnerability in the decode_array_index_from_pointer function. This allows remote attackers to bypass array bounds checking and access restricted memory by sending malformed JSON pointer strings containing alphanumeric characters. Any application using vulnerable cJSON versions to parse untrusted JSON data is affected.

💻 Affected Systems

Products:

cJSON

Versions: 1.5.0 through 1.7.18

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using cJSON to parse untrusted JSON input is vulnerable regardless of configuration.

📦 What is this software?

Cjson by Davegamble

View all CVEs affecting Cjson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or service disruption.

🟠

Likely Case

Memory corruption leading to denial of service, information disclosure, or application crashes.

🟢

If Mitigated

Limited impact if input validation or sandboxing prevents exploitation, though risk remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists; exploitation requires sending malformed JSON pointer strings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.19 or later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2025/09/msg00019.html

Restart Required: Yes

Instructions:

1. Update cJSON to version 1.7.19 or later. 2. Recompile and redeploy any applications using cJSON. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject malformed JSON pointer strings before processing.

Memory Sanitization

all

Use address sanitizers or memory protection mechanisms to detect and prevent out-of-bounds access.

🧯 If You Can't Patch

Isolate vulnerable systems behind firewalls and restrict network access.
Implement network-based intrusion detection to monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check cJSON version in use; if between 1.5.0 and 1.7.18 inclusive, it is vulnerable.

Check Version:

Check application dependencies or use package manager (e.g., 'dpkg -l | grep cjson' on Debian).

Verify Fix Applied:

Verify cJSON version is 1.7.19 or later and test with known malicious JSON pointer strings.

📡 Detection & Monitoring

Log Indicators:

Application crashes, memory access errors, or unexpected termination logs.

Network Indicators:

Incoming JSON payloads containing malformed pointer strings with alphanumeric characters.

SIEM Query:

Search for network traffic containing patterns like '/~' or unusual JSON pointer syntax in payloads.

📊 Metadata

CVE ID: CVE-2025-57052

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

EPSS Score: 0.14% exploit probability (34.1th percentile)

Published: September 3, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57052, you might also want to check these: