CVE-2024-25713Code Injection in Ibireme Yyjson

CWE-94Code Injection7 documents5 sources
Severity
8.6HIGHNVD
OSV6.5
EPSS
5.8%
top 9.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Ibireme YyjsonIbireme YyjsonFedoraproject Fedora
Timeline
PublishedFeb 29
Latest updateNov 10

Description

yyjson through 0.8.0 has a double free, leading to remote code execution in some cases, because the pool_free function lacks loop checks. (pool_free is part of the pool series allocator, along with pool_malloc and pool_realloc.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

SwiftURLgithub.com/ibireme_yyjson< 0.9.0
NVDibireme/yyjson0.8.0

Also affects: Fedora 38, 39, 40

🔴Vulnerability Details

5
OSV
raptor2 vulnerabilities2025-11-10
OSV
raptor2 vulnerabilities2025-03-03
OSV
yyjson has a Double Free vulnerability2024-02-29
GHSA
yyjson has a Double Free vulnerability2024-02-29
CVEList
CVE-2024-25713: yyjson through 02024-02-11

📋Vendor Advisories

1
Debian
CVE-2024-25713: yyjson - yyjson through 0.8.0 has a double free, leading to remote code execution in some...2024
CVE-2024-25713 — Code Injection in Ibireme Yyjson | cvebase