Update embedded cJSON for security fixes

[jre21]

librdkafka currently embeds a copy of cJSON 1.7.14. Please update this copy to the latest version, currently 1.7.18, which contains multiple CVE fixes related to improper handling of null pointers.

[janjwerner-confluent]

@jre21
Thank you for raising this issue.

[paravoid]

Another cJSON CVE was published in the meantime: CVE-2025-57052.

[glansbur]

@paravoid I just wanted to convey a sense of urgency, as NIST reports this CVE-2025-57052 to have a CVSS score of 9.8 which means it is CRITICAL. In other words it might cause teams to yank code with this out of production or at the very least delay using code with librdkafka until a fix becomes available

[glansbur]

@janjwerner-confluent sorry for bothering you again about this, are you aware this is a CRITICAL CVE?

[glansbur]

https://nvd.nist.gov/vuln/detail/CVE-2025-57052
So a minor bump up to cjson 1.7.19 will fix it.

[acusworth]

@janjwerner-confluent I opened PR #5216 to try to address some of the CVEs. Hope that helps.
At this time, it does not address CVE-2025-57052 as theres no record of a fix for 1.7.19 that I have been able to locate.

[Thomas-Barbier-1A]

@acusworth I think the CVE-2025-57052 is fixed in cJSON 1.7.19 but on a file that does not seem to be used by librdkafka: cJSON_utils.c. commit from DaveGamble/cJSON#957 : DaveGamble/cJSON@74e1ff4
I would say that if the fix is only on cJSON_utils.c and we don't use this file in librdkafka then this specific CVE would not be applicable here.

[acusworth]

Thanks @Thomas-Barbier-1A . In that case, #5216 should address everything else of consequence. Not to mention, also make every SCA tool stop complaining.

[Thomas-Barbier-1A]

For the SCA Tool I am not sure as they might not be able to detect the "granularity" of cJSON usage. Maybe they will just assume that librdkafka is exposed to all CVEs of cJSON jsut because there is a dependency even if only part of the code is used.
But at least at this time one of them that I have access to (BlackDuck) is no longer reporting the CVE-2025-57052

[glansbur]

I just wanted to follow up on this, does anyone know if this CRITICAL CVE is still unpatched? It appears that Alex's PR is unmerged.

Master is still on the vulnerable cJSON 1.7.14 version: https://github.com/confluentinc/librdkafka/blob/master/src/cJSON.h#L92