CVE-2023-50471

cjson: segmentation violation in function cJSON_InsertItemInArray

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.

Se descubrió que cJSON v1.7.16 contenía una infracción de segmentación a través de la función cJSON_InsertItemInArray en cJSON.c.

A flaw was discovered in the cJSON package. Certain input conditions may trigger a null pointer dereference, which can lead to a denial of service.

An update that fixes three vulnerabilities is now available. This update for cJSON fixes the following issues. NULL pointer dereference via cJSON_SetValuestring Remove non-functional list handling of compiler flags. Fixed heap buffer overflow remove misused optimization flag -01 Set free'd pointers to NULL whenever they are not reassigned immediately after CVE-2023-50471). Fixed null reference in cJSON_SetValuestring. Fixed null reference in cJSON_InsertItemInArray. Add an option for ENABLE_CJSON_VERSION_SO in CMakeLists.txt Add cmake_policy to CMakeLists.txt Add cJSON_SetBoolValue Add meson documentation. Fixed memory leak in merge_patch. Fixed conflicting target names 'uninstall' Bump cmake version to 3.0 and use new version syntax Print int without decimal places. Fixed 'cjson_utils-static' target not exist Add allocate check for replace_item_in_object. Fixed a null pointer crash in cJSON_ReplaceItemViaPointer.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-11 CVE Reserved
2023-12-14 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2025-06-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (7)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/12/msg00023.html	Mailing List

URL	Date	SRC
https://github.com/DaveGamble/cJSON/issues/802	2024-08-02

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY	2024-04-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSI3LL6ZNKYNM5JKPA5FKZTATL4MPF7V	2024-04-23
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQOQ7CAOYBNHGAMNOR7ELGLC22HV3ZQV	2024-04-23
https://access.redhat.com/security/cve/CVE-2023-50471	2025-06-26
https://bugzilla.redhat.com/show_bug.cgi?id=2254641	2025-06-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cjson Project Search vendor "Cjson Project"		Cjson Search vendor "Cjson Project" for product "Cjson"				1.7.16 Search vendor "Cjson Project" for product "Cjson" and version "1.7.16"		-		Affected