CVE-2023-53154 — Out-of-bounds Read in Project Cjson

CWE-125 — Out-of-bounds Read8 documents7 sources

Severity

5.5MEDIUMNVD

OSV2.9

EPSS

0.1%

top 74.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cjson Project Cjson Debian Cjson Msrc Azl3 Apparmor 3.1.7-1 ON Azure Linux 3.0 +5 more

Timeline

PublishedMay 23

Latest updateJan 23

Description

parse_string in cJSON before 1.7.18 has a heap-based buffer over-read via {"1":1, with no trailing newline if cJSON_ParseWithLength is called.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages10 packages

▶debiandebian/cjson< cjson 1.7.15-1+deb12u3 (bookworm)

▶NVDcjson_project/cjson< 1.7.18

▶Debiancjson_project/cjson< 1.7.14-1+deb11u2+3

▶Ubuntucjson_project/cjson< 1.7.15-1ubuntu0.1+3

▶msrcmsrc/azl3_ceph_18.2.2-8_on_azure_linux_3.0

🔴Vulnerability Details

OSV

cjson vulnerabilities↗2026-01-23

▶

GHSA

GHSA-8h4w-44qv-79mq: parse_string in cJSON before 1↗2025-05-23

▶

OSV

CVE-2023-53154: parse_string in cJSON before 1↗2025-05-23

▶

📋Vendor Advisories

Ubuntu

cJSON vulnerabilities↗2026-01-23

▶

Red Hat

cjson: Heap based buffer overflow at cJSON_ParseWithLength function↗2025-05-23

▶

Microsoft

parse_string in cJSON before 1.7.18 has a heap-based buffer over-read via {"1":1, with no trailing newline if cJSON_ParseWithLength is called.↗2025-05-13

▶

Debian

CVE-2023-53154: cjson - parse_string in cJSON before 1.7.18 has a heap-based buffer over-read via {"1":1...↗2023

▶