CVE-2025-10948
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-10-13

Assigner: VulDB

Description
A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.20.1 and 7.21beta2 mitigates this issue. You should upgrade the affected component. The vendor replied: "Our bug tracker reports that your issue has been fixed. This means that we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-10-13
Generated
2026-06-16
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10948
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mikrotik routeros 7
mikrotik libjson 7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10948 is a critical buffer overflow vulnerability in the JSON parsing function parse_json_element of the libjson.so library used by MikroTik RouterOS 7. It occurs when the parser processes malformed JSON input containing incomplete Unicode escape sequences starting with '\u' but missing the required four hexadecimal digits. This improper handling causes the parser to enter an infinite loop searching for a string terminator that never appears, leading to out-of-bounds memory access and application crash. The vulnerability can be triggered remotely via HTTP POST requests with crafted JSON payloads to the /rest/ip/address/print endpoint, even bypassing basic authentication. [1, 3]

Impact Analysis

This vulnerability can cause immediate denial of service by crashing the affected application due to infinite loops and memory corruption. Additionally, depending on the system's memory layout and exploitation techniques, it may allow remote code execution, compromising the confidentiality, integrity, and availability of the affected system. Attackers can exploit this remotely without needing valid authentication credentials. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP POST request with a malformed JSON payload to the vulnerable endpoint /rest/ip/address/print on MikroTik RouterOS devices. A known proof-of-concept command uses curl to send such a payload, which triggers the vulnerability and causes the parser to crash. The command is: curl -k -u admin: -X POST http://<target-ip>/rest/ip/address/print \ --data '{"0":"\u0\0\\"0' \ -H "content-type: application/json" Monitoring for crashes or denial of service on the device after such requests can indicate the presence of the vulnerability. Network intrusion detection systems or web application firewalls can be configured to detect or block malformed Unicode escape sequences in JSON payloads targeting this endpoint. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: - Deploy web application firewalls or intrusion prevention systems to filter and block malformed Unicode escape sequences in JSON payloads, especially those targeting the /rest/ip/address/print endpoint. - Avoid exposing the vulnerable MikroTik RouterOS management interfaces to untrusted networks. - Consider disabling or restricting access to the affected REST API endpoint if possible. - Monitor network traffic for suspicious POST requests containing malformed JSON. - Until a patched version of libjson.so or RouterOS is available, consider using alternative products or isolating affected devices. - Implement strict input validation on any proxy or gateway devices to reject malformed Unicode sequences. No official patch or vendor mitigation is currently available due to lack of vendor response. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart