CVE-2025-7984: 
NixOS vulnerability analysis and mitigation

A vulnerability in Ashlar-Vellum Cobalt's AR file parsing functionality has been identified as CVE-2025-7984. The vulnerability was discovered on November 21, 2024, and publicly disclosed on July 22, 2025. This security flaw affects installations of Ashlar-Vellum Cobalt and stems from improper memory initialization during AR file parsing (ZDI Advisory).

The vulnerability has been assigned a CVSS v3.0 score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the parsing of AR files, where the application fails to properly initialize memory before accessing it. This uninitialized variable issue can be leveraged by attackers to execute arbitrary code (ZDI Advisory).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. The attack can lead to complete system compromise, with the malicious code executing in the context of the current process (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy recommended is to restrict interaction with the product. As of the disclosure date, no official patch was available from the vendor despite multiple follow-ups from ZDI between November 2024 and July 2025 (ZDI Advisory).

The vulnerability was initially reported to the vendor by Rocco Calvi (@TecR0c) with TecSecurity. Despite acknowledging the receipt of the report on November 22, 2024, and confirming that resolving the issue was in progress on March 20, 2025, the vendor's lack of timely response led to a 0-day advisory publication (ZDI Advisory).