CVE-2025-57052: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-57052 affects cJSON versions 1.5.0 through 1.7.18, discovered and disclosed on September 3, 2025. The vulnerability allows out-of-bounds access via the decodearrayindexfrompointer function in cJSON_Utils.c, enabling remote attackers to bypass array bounds checking and access restricted data through malformed JSON pointer strings containing alphanumeric characters (NVD).

The vulnerability exists in the cJSON library's decodearrayindexfrompointer function within cJSON_Utils.c. The core issue lies in improper input validation where the loop incorrectly checks pointer[0] instead of pointer[position], allowing non-digit characters to be processed as part of the array index. For example, an input of '0A' is incorrectly parsed as index 10, potentially leading to out-of-bounds array access. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (X-0R Blog, NVD).

The vulnerability can lead to out-of-bounds memory access, potential segmentation faults, and denial of service conditions. Applications using the cJSON JSON Pointer API where untrusted users can supply specially crafted JSON pointer strings are particularly at risk. The high CVSS score indicates critical severity with potential for complete system compromise (X-0R Blog).

The recommended fix involves modifying the loop condition in the decodearrayindexfrompointer function to properly validate each character position: for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++). This ensures proper validation of array indices and prevents out-of-bounds access (X-0R Blog).