CVE-2025-7977: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-7977) was discovered in Ashlar-Vellum Cobalt that allows remote attackers to execute arbitrary code. The vulnerability was identified on July 22, 2025, and affects version 12.0.1204.91 of the software. This out-of-bounds read vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page, to be exploited (Zero Day Initiative).

The vulnerability exists within the parsing of LI files in Ashlar-Vellum Cobalt. The specific flaw results from the lack of proper validation of user-supplied data, which can result in a read before the start of an allocated buffer. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of Ashlar-Vellum Cobalt. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the system (Zero Day Initiative).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. The vulnerability was initially reported to the vendor on October 11, 2024, with the vendor confirming that resolving the issue was in progress on March 20, 2025 (Zero Day Initiative).