CVE-2025-7982: 
NixOS vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2025-7982) was discovered in Ashlar-Vellum Cobalt's LI file parsing functionality. The vulnerability was reported to the vendor on October 31, 2024, and was publicly disclosed on July 22, 2025, after multiple unsuccessful attempts to get updates from the vendor. The vulnerability affects Ashlar-Vellum Cobalt software and has been assigned a CVSS score of 7.8 (High) (ZDI Advisory).

The vulnerability exists within the parsing of LI files in Ashlar-Vellum Cobalt. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in an integer overflow condition before allocating a buffer. The vulnerability has been assigned a CVSS v3 base score of 7.8 with the following vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. The attacker can leverage this vulnerability to execute code in the context of the current process, potentially gaining the same privileges as the application (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy provided is to restrict interaction with the product. As of the disclosure date, no official patch has been released by the vendor (ZDI Advisory).