CVE-2024-25713

Name of the Vulnerable Software and Affected Versions yyjson versions 0.8.0 and earlier

Description The issue is related to a double free vulnerability in the pool series allocator, specifically due to the lack of loop checks in the pool free function. This can lead to remote code execution in some cases. The vulnerability is caused by the pool free function not performing pointer destruction, resulting in Use-After-Free (UAF) vulnerabilities. Arbitrary address writing, combined with other legitimate or illegitimate operations of programs using this library, can lead to remote code execution.

Recommendations For yyjson versions 0.8.0 and earlier, consider applying the defensive patch provided by the developer, which will cause the program to crash immediately if yyjson mut doc free() is called twice on the same doc, alerting to the incorrect usage. As a temporary workaround, ensure that yyjson mut doc free() is not called multiple times on the same document to prevent the double free vulnerability.