CVE-2025-57052: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-57052) has been discovered in the cJSON library, affecting versions 1.5.0 through 1.7.18. The flaw allows remote attackers to bypass array bounds checking and access restricted data through malformed JSON pointer strings containing alphanumeric characters. The vulnerability was disclosed in September 2025 and has received a CVSS score of 9.8 (Critical) (SecurityOnline, NVD).

The vulnerability resides in the decode_array_index_from_pointer function within cJSON_Utils.c. The core issue is a logic error in the loop condition that incorrectly checks pointer[0] instead of pointer[position], allowing non-digit characters to be processed as part of the array index. For example, an input like "0A" is interpreted as index 10, even if the array only contains three elements, leading to out-of-bounds memory access (X-0R).

The vulnerability can lead to multiple severe consequences including out-of-bounds memory access, segmentation faults, privilege escalation, and denial of service. The broad adoption of cJSON in web APIs, embedded/IoT devices, and various desktop and server applications makes this vulnerability particularly impactful. Attackers can potentially crash services, bypass application-level checks, and access sensitive data by reading beyond allocated memory regions (SecurityOnline).

The vulnerability can be fixed by correcting the loop condition in the decode_array_index_from_pointer function to properly validate each character position. The patched version should change the condition from 'pointer[0] <= '9'' to 'pointer[position] <= '9''. Users are advised to update to the latest version of cJSON that includes this fix (X-0R).