CVE-2025-65092
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espressif | iot_development_framework | 5.3.4 |
| espressif | iot_development_framework | 5.4.3 |
| espressif | iot_development_framework | 5.5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Espressif Internet of Things Development Framework (ESF-IDF) versions 5.5.1, 5.4.3, and 5.3.4 when using the ESP32-P4 hardware JPEG decoder. The software parser for JPEG images lacks necessary validation checks, allowing a specially crafted malicious JPEG image to exploit the parsing routine and cause an out-of-bounds array access.
How can this vulnerability impact me? :
The vulnerability can lead to an out-of-bounds array access when processing malicious JPEG images, which may cause unexpected behavior such as crashes or potentially allow an attacker to execute arbitrary code or disrupt the normal operation of the device using the ESP32-P4 hardware JPEG decoder.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Espressif IoT Development Framework (ESF-IDF) to versions 5.5.2, 5.4.4, or 5.3.5 or later, where the issue has been fixed. Avoid using the vulnerable versions 5.5.1, 5.4.3, and 5.3.4, especially when using the ESP32-P4 hardware JPEG decoder with untrusted JPEG images.