CVE-2025-7993: 
NixOS vulnerability analysis and mitigation

Ashlar-Vellum Cobalt contains a Use-After-Free vulnerability in the parsing of LI files that allows remote attackers to execute arbitrary code on affected installations. The vulnerability was discovered and reported on March 12, 2025, and was assigned CVE-2025-7993. User interaction is required to exploit this vulnerability, specifically requiring the target to visit a malicious page or open a malicious file (Zero Day Initiative).

The vulnerability stems from the lack of validating the existence of an object prior to performing operations on the object during LI file parsing. This Use-After-Free (CWE-416) vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High), with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability affects Ashlar-Vellum Cobalt version 12.0.1204.91 (Zero Day Initiative).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current process. This could potentially lead to complete system compromise, allowing the attacker to execute malicious code, access sensitive information, or take control of the affected system (Zero Day Initiative).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. As of July 30, 2025, no official patch has been released by the vendor (Zero Day Initiative).

The vulnerability was discovered by security researcher Rocco Calvi (@TecR0c) with TecSecurity. Despite multiple follow-ups from ZDI on May 2 and June 19, 2025, the vendor's response was limited to acknowledging the initial report, leading to the vulnerability being published as a 0-day advisory (Zero Day Initiative).