CVE-2025-54080
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-02

Assigner: GitHub, Inc.

Description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-02
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-54080
EUVD
EUVD-2025-26207
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
exiv2 exiv2 to 0.28.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-54080 is a low-severity vulnerability in the Exiv2 library, specifically an out-of-bounds read occurring when writing metadata into a specially crafted EPS image file. This happens because the library does not properly validate certain position and size fields in the EPS file header, leading to reading memory outside intended boundaries. Exploiting this requires tricking a user into running Exiv2 on a malicious EPS file with metadata writing operations, which are less common than reading operations. The vulnerability can cause the application to crash (denial of service) but does not expose or alter data. It was fixed in Exiv2 version 0.28.6 by adding strict bounds checking and error handling. [1, 2]

Impact Analysis

This vulnerability can impact you by causing a denial of service if an attacker tricks you into running Exiv2 on a specially crafted EPS image file that triggers the out-of-bounds read during metadata writing. The application may crash due to a segmentation fault, disrupting normal operations. However, it does not lead to information disclosure or data integrity compromise. The attack requires local access and user interaction to invoke the vulnerable metadata writing operation. [1]

Compliance Impact

This vulnerability primarily causes a denial of service by crashing the Exiv2 application and does not result in unauthorized disclosure or modification of data. Therefore, it has minimal or no direct impact on compliance with data protection standards and regulations such as GDPR or HIPAA, which focus on confidentiality and integrity of personal data. [1]

Detection Guidance

This vulnerability can be detected by attempting to run Exiv2 version 0.28.5 or earlier to write metadata on a crafted EPS image file that triggers the out-of-bounds read. Specifically, using the Exiv2 command-line tool with a metadata writing operation such as 'delete' on a malicious EPS file may cause a crash (segmentation fault). For example, a command like `exiv2 delete malicious.eps` could trigger the vulnerability if the file is crafted to exploit it. Detection involves monitoring for crashes or segmentation faults during such operations. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Exiv2 to version 0.28.6 or later, where the vulnerability is fixed. The fix includes improved bounds checking and validation of EPS file metadata sections to prevent out-of-bounds reads. Until upgrading, avoid running metadata writing operations on untrusted or suspicious EPS image files to reduce the risk of exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart