CVE-2024-25713

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-25713

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25713.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-25713

Aliases

GHSA-q4m7-9pcm-fpxh

Published

2024-02-29T01:44:16Z

Modified

2024-05-14T13:10:03.434528Z

Summary

[none]

Details

yyjson through 0.8.0 has a double free, leading to remote code execution in some cases, because the poolfree function lacks loop checks. (poolfree is part of the pool series allocator, along with poolmalloc and poolrealloc.)

References

https://github.com/ibireme/yyjson/security/advisories/GHSA-q4m7-9pcm-fpxh
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KQ67T4R7QEWURW5NMCCVLTBASL4ECHE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NNICQVIF7BRYFWYRL3HPVAJIPXN4OVTX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TKQPEREDUDKGYJMFNFDQVYCVLWDRO2Y2/

Affected packages

Git / github.com/ibireme/yyjson

Affected ranges

Type: GIT
Repo: https://github.com/ibireme/yyjson
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

e01ae9d89eaf858894d366169329097171a28d67

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.5.1

0.6.0

0.7.0

0.8.0