CVE-2025-48074
MEDIUM5.5EPSS 0.13%OpenEXR Out-Of-Memory via Unbounded File Header Values
發布日:2025/7/31修改日:2026/4/28
也稱為:DEBIAN-CVE-2025-48074
描述
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.
受影響套件(2)
- Debian/openexrfrom 0
- PyPI/openexr>= 3.3.2, < 3.3.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48074
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-48074
- PATCHhttps://github.com/AcademySoftwareFoundation/openexr
- WEBhttps://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf
- WEBhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-48074