RethinkDB cJSON Heap Overflow: When "Measure Twice, Cut Once" Goes Horribly Wrong
Vulnerability ID: CVE-2026-24810
CVSS Score: 10.0
Published: 2026-01-27
A critical heap-based buffer overflow in RethinkDB's cJSON parsing logic allows remote attackers to execute arbitrary code. The vulnerability stems from a discrepancy between the memory allocation pass and the string copying pass within the parse_string function. By supplying a malformed JSON string with a truncated Unicode escape sequence, an attacker can trick the parser into jumping over the terminating quote, causing it to copy heap data into a finite buffer indefinitely.
TL;DR
RethinkDB's internal JSON parser has a critical RCE flaw. A specific Unicode escape sequence can trick the parser into writing past its allocated buffer. CVSS 10.0.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-120 (Buffer Copy without Checking Size of Input)
- CVSS v4.0: 10.0 (Critical)
- Attack Vector: Network (Remote)
- Impact: Remote Code Execution (RCE) / Denial of Service
- Affected Component: src/cjson/cJSON.cc (parse_string)
- Exploit Status: Proof of Concept likely achievable
Affected Systems
- RethinkDB Server
-
RethinkDB: <= 2.4.4 (Fixed in:
Post-v2.4.4 (See PR #7163))
Exploit Details
- Internal Research: Analysis based on Pull Request #7163 logic fix.
Mitigation Strategies
- Update RethinkDB to a version including PR #7163
- Implement strict network segmentation for DB ports (28015, 29015)
- Use an intermediary API gateway that validates JSON structure before passing it to the DB
Remediation Steps:
- Identify vulnerable instances via version check (<= 2.4.4).
- Apply the vendor patch or compile from the fixed source (PR #7163).
- Restart the RethinkDB service.
- Verify the fix by attempting to parse a JSON string ending in
\uin a test environment.
References
Read the full report for CVE-2026-24810 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)