CVE-2025-57052
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-11-03

Assigner: MITRE

Description
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
davegamble cjson From 1.5.0 (inc) to 1.7.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-57052 is a critical vulnerability in the cJSON library versions 1.5.0 through 1.7.18. It occurs in the decode_array_index_from_pointer function in cJSON_Utils.c, where improper input validation during JSON pointer parsing allows attackers to bypass array bounds checking. Specifically, a faulty loop condition causes non-digit characters to be misinterpreted as digits, leading to out-of-bounds array access. For example, a malformed JSON pointer like '/0A' is parsed incorrectly, causing the program to access memory outside the intended array bounds, which can result in segmentation faults or denial of service. [1]

Impact Analysis

This vulnerability can allow remote attackers to cause out-of-bounds memory access in applications using the affected cJSON versions. This can lead to segmentation faults, crashes, or denial of service conditions. Any software that uses cJSON for JSON pointer parsing, including web APIs, embedded/IoT devices, and desktop/server applications, may be impacted if they process malformed JSON pointers from untrusted sources. [1]

Detection Guidance

This vulnerability can be detected by monitoring for application crashes or segmentation faults when processing JSON pointers, especially those containing malformed indices like '/0A'. You can test vulnerable applications by sending crafted JSON pointer strings with alphanumeric characters in array indices to see if they cause crashes or unexpected behavior. For example, using curl or similar tools to send JSON payloads with pointers such as '/0A' to APIs that use cJSON for JSON pointer parsing. Additionally, reviewing application logs for segmentation faults or denial of service symptoms related to JSON pointer processing can help detect exploitation attempts. There are no specific commands provided, but fuzz testing JSON pointer inputs or using debugging tools to trace cJSON_Utils.c behavior during JSON parsing can assist in detection. [1]

Mitigation Strategies

The immediate mitigation step is to update the cJSON library to a version where the loop condition in decode_array_index_from_pointer is corrected to properly validate each character as a digit. Specifically, the loop condition should be changed from checking 'pointer[0]' to 'pointer[position]' to ensure only digit characters are processed. If updating is not immediately possible, applying the patch that fixes the loop condition in cJSON_Utils.c can prevent out-of-bounds access. Additionally, implementing input validation or sanitization on JSON pointer strings before they reach cJSON parsing can reduce risk. Monitoring and restricting malformed JSON pointer inputs at the application or network level can also help mitigate exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart