CVE-2025-7984: 
NixOS vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2025-7984) was discovered in Ashlar-Vellum Cobalt affecting AR file parsing functionality. The vulnerability was reported to the vendor on November 21, 2024, and was publicly disclosed on July 22, 2025. The vulnerability affects Ashlar-Vellum Cobalt installations and has been assigned a CVSS score of 7.8 (ZDI Advisory).

The vulnerability stems from the lack of proper initialization of memory prior to accessing it during the parsing of AR files. This uninitialized variable issue can be exploited when processing AR files, potentially leading to arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of Ashlar-Vellum Cobalt. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. The vendor was notified of the vulnerability but had not released a patch at the time of disclosure (ZDI Advisory).