CVE-2025-57052
Published: 03 September 2025
Summary
CVE-2025-57052 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Davegamble Cjson. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 49.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-57052 is an out-of-bounds access vulnerability affecting the cJSON library in versions 1.5.0 through 1.7.18. The core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core core
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26527
Vulnerability details
cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds access vulnerability in cJSON versions 1.5.0-1.7.18 by identifying, reporting, and patching the flawed decode_array_index_from_pointer function.
Validates JSON pointer strings to reject malformed inputs containing alphanumeric characters that bypass array bounds checking in cJSON.
Scans systems for the specific CVE-2025-57052 vulnerability in deployed cJSON libraries to identify vulnerable versions 1.5.0-1.7.18.