CVE-2025-57052: Critical JSON Parsing Flaw in cJSON With CVSS 9.8, PoC Available

Security researcher Salah Chafai, an Exploit Development & Security specialist, has disclosed a critical flaw in the widely used cJSON library, a lightweight JSON parser for C. Tracked as CVE-2025-57052 (CVSS 9.8), the vulnerability allows attackers to craft malformed JSON pointers that bypass array bounds checking, resulting in out-of-bounds memory access, segmentation faults, privilege escalation, or denial of service.

The issue resides in the decode_array_index_from_pointer function within cJSON_Utils.c.

According to the report, “The loop incorrectly checks pointer[0] instead of pointer[position], allowing non-digit characters to be processed as part of the array index.”

This logic error means that input like “0A” is interpreted as the index 10, even if the array only contains three elements. Such out-of-bounds access can crash applications or, in certain contexts, allow attackers to read or manipulate memory outside intended limits.

To demonstrate exploitation, Chafai published a minimal C program that uses cJSON to parse a JSON array of users. While valid indices “0” and “1” return Alice and Bob’s data, the crafted index “0A” makes cJSON attempt to access element 10, which does not exist.

As the report highlights, “Supplying the index 0A will cause cJSON to access index 10, which is out of bounds and may result in a segmentation fault (crash).”

Because cJSON is embedded in countless projects, the vulnerability affects a broad range of software:

• Web APIs handling JSON pointers.
• Embedded/IoT devices where lightweight parsers are critical.
• Desktop and server applications that rely on structured JSON inputs.

The report warns, “Any software using cJSON for JSON pointer parsing… can be exploited for denial of service. In environments where malformed input can be supplied to JSON pointer APIs, the risk is especially critical.”

Attackers could abuse CVE-2025-57052 to:

• Crash services via segmentation faults.
• Bypass application-level checks by supplying indices that are parsed differently by cJSON than by atoi.
• Potentially escalate privileges or access sensitive data by reading beyond allocated memory regions.

The fix is straightforward: correct the loop condition.

• Vulnerable code:

for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++)

• Patched code:

for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++)

This ensures that each character in the pointer string is validated properly before being parsed as part of an array index.

Related Posts:

• Mozilla Releases Security Updates to fix critical bugs in Firefox and Firefox ESR
• BIND DNS Server Vulnerable to Remote Crash
• MongoDB Hit by Pre-Auth Denial of Service Vulnerability