CVE-2025-53644
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-10-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencv | opencv | From 4.10.0 (inc) to 4.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53644 is a vulnerability in OpenCV versions prior to 4.12.0 related to the JPEG 2000 image decoding component using the OpenJPEG library. It involves an uninitialized pointer variable on the stack that may lead to arbitrary heap buffer writes when processing crafted JPEG 2000 images. Specifically, if the function that reads the JPEG 2000 header fails, the pointer intended to hold image data remains uninitialized but is still dereferenced and written to. This can cause memory corruption by writing attacker-controlled data to heap memory, potentially leading to arbitrary code execution. [2]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary heap memory corruption when processing specially crafted JPEG 2000 images. An attacker could exploit this to overwrite memory with controlled values, potentially causing crashes, data corruption, or remote code execution. This means that if you use vulnerable OpenCV versions to decode untrusted JPEG 2000 images, your system or application could be compromised. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the OpenCV library's JPEG 2000 image decoding functionality with crafted JPEG 2000 images that trigger the uninitialized pointer usage. A practical approach is to use OpenCV's cv::imdecode function to decode such crafted images multiple times and observe for heap-use-after-free errors or crashes, especially when compiled with AddressSanitizer (ASAN). There is no direct network detection method since this is a local library vulnerability. Commands to detect the issue would involve running a test program that decodes crafted JPEG 2000 images using OpenCV 4.11.0 or earlier and monitoring for memory errors. For example, compiling a test program with ASAN enabled and running it with the crafted images can reveal the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenCV to version 4.12.0 or later, where the vulnerability is fixed by adding proper checks on the decoding status before dereferencing pointers. If upgrading is not immediately possible, avoid processing untrusted or crafted JPEG 2000 images with vulnerable OpenCV versions. Additionally, applying the patch from the OpenCV repository that adds the check for the decoding return value (ret) before using the image pointer can mitigate the issue. [1, 2]