CVE-2025-65092
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-21

Last updated on: 2025-11-21

Assigner: GitHub, Inc.

Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-21
Last Modified
2025-11-21
Generated
2026-06-16
AI Q&A
2025-11-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65092
EUVD
EUVD-2025-198514
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
espressif iot_development_framework 5.3.4
espressif iot_development_framework 5.4.3
espressif iot_development_framework 5.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Espressif Internet of Things Development Framework (ESF-IDF) versions 5.5.1, 5.4.3, and 5.3.4 when using the ESP32-P4 hardware JPEG decoder. The software parser for JPEG images lacks necessary validation checks, allowing a specially crafted malicious JPEG image to exploit the parsing routine and cause an out-of-bounds array access.

Impact Analysis

The vulnerability can lead to an out-of-bounds array access when processing malicious JPEG images, which may cause unexpected behavior such as crashes or potentially allow an attacker to execute arbitrary code or disrupt the normal operation of the device using the ESP32-P4 hardware JPEG decoder.

Mitigation Strategies

To mitigate this vulnerability, update the Espressif IoT Development Framework (ESF-IDF) to versions 5.5.2, 5.4.4, or 5.3.5 or later, where the issue has been fixed. Avoid using the vulnerable versions 5.5.1, 5.4.3, and 5.3.4, especially when using the ESP32-P4 hardware JPEG decoder with untrusted JPEG images.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart