CVE-2025-10948
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-10-13
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mikrotik | routeros | 7 |
| mikrotik | libjson | 7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10948 is a critical buffer overflow vulnerability in the JSON parsing function parse_json_element of the libjson.so library used by MikroTik RouterOS 7. It occurs when the parser processes malformed JSON input containing incomplete Unicode escape sequences starting with '\u' but missing the required four hexadecimal digits. This improper handling causes the parser to enter an infinite loop searching for a string terminator that never appears, leading to out-of-bounds memory access and application crash. The vulnerability can be triggered remotely via HTTP POST requests with crafted JSON payloads to the /rest/ip/address/print endpoint, even bypassing basic authentication. [1, 3]
How can this vulnerability impact me? :
This vulnerability can cause immediate denial of service by crashing the affected application due to infinite loops and memory corruption. Additionally, depending on the system's memory layout and exploitation techniques, it may allow remote code execution, compromising the confidentiality, integrity, and availability of the affected system. Attackers can exploit this remotely without needing valid authentication credentials. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted HTTP POST request with a malformed JSON payload to the vulnerable endpoint /rest/ip/address/print on MikroTik RouterOS devices. A known proof-of-concept command uses curl to send such a payload, which triggers the vulnerability and causes the parser to crash. The command is: curl -k -u admin: -X POST http://<target-ip>/rest/ip/address/print \ --data '{"0":"\u0\0\\"0' \ -H "content-type: application/json" Monitoring for crashes or denial of service on the device after such requests can indicate the presence of the vulnerability. Network intrusion detection systems or web application firewalls can be configured to detect or block malformed Unicode escape sequences in JSON payloads targeting this endpoint. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: - Deploy web application firewalls or intrusion prevention systems to filter and block malformed Unicode escape sequences in JSON payloads, especially those targeting the /rest/ip/address/print endpoint. - Avoid exposing the vulnerable MikroTik RouterOS management interfaces to untrusted networks. - Consider disabling or restricting access to the affected REST API endpoint if possible. - Monitor network traffic for suspicious POST requests containing malformed JSON. - Until a patched version of libjson.so or RouterOS is available, consider using alternative products or isolating affected devices. - Implement strict input validation on any proxy or gateway devices to reject malformed Unicode sequences. No official patch or vendor mitigation is currently available due to lack of vendor response. [1, 2]