CVE-2024-31755

cjson: segmentation violation trigger through the second parameter of function cJSON_SetValuestring at cJSON.c

Severity Score

7.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

cJSON v1.7.17 was discovered to contain a segmentation violation, which can trigger through the second parameter of function cJSON_SetValuestring at cJSON.c.

Se descubrió que cJSON v1.7.17 contiene una infracción de segmentación, que puede activarse a través del segundo parámetro de la función cJSON_SetValuestring en cJSON.c.

A flaw was found in cJSON. This issue contains a segmentation violation, which can trigger through the second parameter of the cJSON_SetValuestring function at cJSON.c.

An update that fixes three vulnerabilities is now available. This update for cJSON fixes the following issues. NULL pointer dereference via cJSON_SetValuestring Remove non-functional list handling of compiler flags. Fixed heap buffer overflow remove misused optimization flag -01 Set free'd pointers to NULL whenever they are not reassigned immediately after CVE-2023-50471). Fixed null reference in cJSON_SetValuestring. Fixed null reference in cJSON_InsertItemInArray. Add an option for ENABLE_CJSON_VERSION_SO in CMakeLists.txt Add cmake_policy to CMakeLists.txt Add cJSON_SetBoolValue Add meson documentation. Fixed memory leak in merge_patch. Fixed conflicting target names 'uninstall' Bump cmake version to 3.0 and use new version syntax Print int without decimal places. Fixed 'cjson_utils-static' target not exist Add allocate check for replace_item_in_object. Fixed a null pointer crash in cJSON_ReplaceItemViaPointer.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-05 CVE Reserved
2024-04-26 CVE Published
2024-08-02 CVE Updated
2025-07-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference
CWE-754: Improper Check for Unusual or Exceptional Conditions

CAPEC

References (3)

URL	Tag	Source
https://github.com/DaveGamble/cJSON/issues/839

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-31755	2025-06-26
https://bugzilla.redhat.com/show_bug.cgi?id=2277268	2025-06-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cjson Project Search vendor "Cjson Project"		Cjson Search vendor "Cjson Project" for product "Cjson"				*		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				*		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected