cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters.
An attacker sends a specially crafted JSON pointer string containing alphanumeric characters, which is incorrectly processed by the decode_array_index_from_pointer function. This function does not properly validate array indices (CWE-129 — improper validation of array index), leading to reading data outside the permitted memory range (CWE-125 — out-of-bounds read). As a result, the array boundary checking mechanism is bypassed, and the library gains access to memory areas exceeding the allocated buffer.
A remote attacker can gain access to protected data in the application's memory, threatening the confidentiality, integrity, and availability of the system. Due to the critical CVSS score (9.8) and no authentication requirements, the vulnerability poses serious risk in any environment where the application processes untrusted JSON data.
The cJSON library should be updated to a version higher than 1.7.18, in which the vulnerability was removed. Users of Debian distributions should apply patches published as part of debian-lts-announce (September 2025). Detailed information is available at: https://x-0r.com/posts/cJSON-Array-Index-Parsing-Vulnerability and https://lists.debian.org/debian-lts-announce/2025/09/msg00019.html
The cJSON library (authored by Davegamble) in versions 1.5.0 to 1.7.18 inclusive; affects all applications using the cJSON_Utils.c component
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDavegamble Cjson
APPDavegamble1.5.0 – 1.7.18
Related vulnerabilities
cJSON before 1.7.11 allows out-of-bounds access, related to \x00 in a string literal.
cJSON before 1.7.11 allows out-of-bounds access, related to multiline comments.
parse_string in cJSON.c in cJSON before 2016-10-02 has a buffer over-read, as demonstrated by a string that be...
Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability in cJSON library ...
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSO...