cvelistv5 - cve-2025-54080

cve-2025-54080

Vulnerability from cvelistv5

Published

2025-08-29 14:50

Modified

2025-08-29 14:58

Severity ?

1.8 (Low) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Exiv2 Segmentation Faults in Exiv2::EpsImage::writeMetadata() via crafted EPS file

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/Exiv2/exiv2/commit/e737332427711f15bcdc4e903203d6b7493eaec0
	security-advisories@github.com	https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39

Impacted products

▼	Vendor	Product
	Exiv2	exiv2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54080",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-29T14:58:11.442776Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-29T14:58:23.574Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "exiv2",
          "vendor": "Exiv2",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.28.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 1.8,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-29T14:50:17.623Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39"
        },
        {
          "name": "https://github.com/Exiv2/exiv2/commit/e737332427711f15bcdc4e903203d6b7493eaec0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Exiv2/exiv2/commit/e737332427711f15bcdc4e903203d6b7493eaec0"
        }
      ],
      "source": {
        "advisory": "GHSA-496f-x7cq-cq39",
        "discovery": "UNKNOWN"
      },
      "title": "Exiv2 Segmentation Faults in Exiv2::EpsImage::writeMetadata() via crafted EPS file"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54080",
    "datePublished": "2025-08-29T14:50:17.623Z",
    "dateReserved": "2025-07-16T13:22:18.207Z",
    "dateUpdated": "2025-08-29T14:58:23.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54080\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-29T15:15:35.613\",\"lastModified\":\"2025-08-29T16:24:29.730\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":1.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"references\":[{\"url\":\"https://github.com/Exiv2/exiv2/commit/e737332427711f15bcdc4e903203d6b7493eaec0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

ghsa-496f-x7cq-cq39

Vulnerability from github

Published

2025-08-29 14:49

Modified

2025-08-29 21:03

Severity ?

1.8 (Low) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

Exiv2 Segmentation Faults in Exiv2::EpsImage::writeMetadata() via crafted EPS file

Details

Impact

An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as delete.

Patches

The bug is fixed in version v0.28.6.

Credit

Thank you to @dragonArthurX for reporting this issue.

Details (from original report by @dragonArthurX )

Version: Tested on v0.28.5 (latest official release) Commit: 907169fa643c2c74c14fd4106e55eaeee3634d9f

Platform: Ubuntu 20.04.6 LTS (x86_64)

Build Steps: bash git clone https://github.com/Exiv2/exiv2.git cd exiv2 git checkout v0.28.5 mkdir build-v0.28.5 && cd build-v0.28.5 cmake -DCMAKE_C_COMPILER=/fuzzer/afl-clang-fast -DCMAKE_CXX_COMPILER=/fuzzer/afl-clang-fast++ -DCMAKE_C_FLAGS="-g -fsanitize=address" -DCMAKE_CXX_FLAGS="-g -fsanitize=address" -DBUILD_SHARED_LIBS=OFF ../

Command line to reproduce: bash /home/exiv2/build/bin/exiv2 -d a -f /home/poc

Crash Output: ``` AddressSanitizer:DEADLYSIGNAL ================================================================ = ==376531==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd92236b0e7 (pc 0x7fd82314dcd2 bp 0x7ffd540ceba0 sp 0x7ffd540ce358 T0) ==376531==The signal is caused by a READ memory access. #0 0x7fd82314dcd2 /build/glibc-B3wQXB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:383 #1 0x4ed131 in __asan_memcpy (/home/exiv2/build-v0.28.5/bin/exiv2+0x4ed131) #2 0x6184b1 in Exiv2::MemIo::write(unsigned char const, unsigned long) /home/exiv2/src/basicio.cpp:704:5 #3 0xad336d in (anonymous namespace)::writeTemp(Exiv2::BasicIo&, unsigned char const, unsigned long) /home/exiv2/src/epsimage.cpp:90:14 #4 0xac3a07 in (anonymous namespace)::readWriteEpsMetadata(Exiv2::BasicIo&, std::__cxx11::basic_string, std::allocator\ >&, std::vector >&, bool) /home/exiv2/src/epsimage.cpp:1009:7 #5 0xad1175 in Exiv2::EpsImage::writeMetadata() /home/exiv2/src/epsimage.cpp:1103:3 #6 0x5d2383 in Action::Erase::run(std::__cxx11::basic_string, std::allocator\ > const&) /home/exiv2/app/actions.cpp:713:14 #7 0x522d02 in main /home/exiv2/app/exiv2.cpp:177:25 #8 0x7fd8230b6082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x4714dd in _start (/home/exiv2/build-v0.28.5/bin/exiv2+0x4714dd)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/glibc-B3wQXB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:383 ==376531==ABORTING ```

Show details on source website