CVE-2025-15535

Description

A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

nicbarker clay <= 0.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-15535 PoC - Null Pointer Dereference in Clay__MeasureTextCached
// This PoC demonstrates triggering the null pointer dereference

#include <stdio.h>
#include <stdlib.h>
#include "clay.h"

// Mock implementation for demonstration
void Clay__MeasureTextCached(char* text, int length) {
    // Vulnerable code path - missing null check
    char* cache_entry = NULL;
    
    // This triggers the vulnerability
    if (cache_entry->data == '\0') {  // NULL pointer dereference
        printf("Vulnerability triggered!\n");
    }
}

int main() {
    printf("CVE-2025-15535 PoC\n");
    printf("Affected: nicbarker clay <= 0.14\n");
    printf("Vulnerability: Null pointer dereference in Clay__MeasureTextCached\n");
    
    // Trigger the vulnerable function
    Clay__MeasureTextCached("malicious input", 16);
    
    return 0;
}

// Note: Actual exploit requires specific conditions based on clay library internals
// Reference: https://github.com/nicbarker/clay/issues/566

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15535
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15535
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15535/
[4] VulDB https://vuldb.com/cve/CVE-2025-15535
[5] https://github.com/nicbarker/clay/
[6] https://github.com/nicbarker/clay/issues/566
[7] https://github.com/oneafter/1215/blob/main/repro
[8] https://vuldb.com/?ctiid.341707
[9] https://vuldb.com/?id.341707
[10] https://vuldb.com/?submit.733346

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15535", "sourceIdentifier": "[email protected]", "published": "2026-01-18T08:15:49.057", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en nicbarker clay hasta la versión 0.14. Esto afecta la función Clay__MeasureTextCached en la librería clay.h. La manipulación resulta en desreferencia de puntero nulo. El ataque solo es posible con acceso local. El exploit ha sido liberado al público y puede ser utilizado para ataques. El proyecto fue informado del problema tempranamente a través de un informe de problema pero aún no ha respondido."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/nicbarker/clay/", "source": "[email protected]"}, {"url": "https://github.com/nicbarker/clay/issues/566", "source": "[email protected]"}, {"url": "https://github.com/oneafter/1215/blob/main/repro", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.341707", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.341707", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.733346", "source": "[email protected]"}]}}