new file mode 100644
@@ -0,0 +1,33 @@
+From e53a1413304382d562176bed91609e00b4fcf87e Mon Sep 17 00:00:00 2001
+From: Lee <peteralfredlee@gmail.com>
+Date: Fri, 5 Sep 2025 14:53:20 +0800
+Subject: [PATCH] fix the incorrect check in decode_array_index_from_pointer
+ (#957)
+
+this fixes CVE-2025-57052
+
+CVE: CVE-2025-57052
+Upstream-Status: Backport [https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa]
+
+(cherry picked from commit 74e1ff4994aa4139126967f6d289b675b4b36fef)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ cJSON_Utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cJSON_Utils.c b/cJSON_Utils.c
+index 63651df..8fa24f8 100644
+--- a/cJSON_Utils.c
++++ b/cJSON_Utils.c
+@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po
+ return 0;
+ }
+
+- for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++)
++ for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++)
+ {
+ parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0');
+
+--
+2.44.1
+
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0"
SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https \
file://run-ptest \
+ file://CVE-2025-57052.patch \
"
SRCREV = "acc76239bee01d8e9c858ae2cab296704e52d916"
Upstream Repository: https://github.com/DaveGamble/cJSON.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57052 Type: Security Fix CVE: CVE-2025-57052 Score: 9.8 Patch: https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> --- .../cjson/cjson/CVE-2025-57052.patch | 33 +++++++++++++++++++ .../recipes-devtools/cjson/cjson_1.7.18.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch