CVE-2025-66909
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: MITRE

Description
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java loads images using OpenCV's imread() function without validating dimensions or pixel count before decompression. An attacker can upload a specially crafted compressed image file (e.g., PNG) that is small when compressed but expands to gigabytes of memory when loaded. This causes immediate memory exhaustion, OutOfMemoryError, and service crash. No authentication is required if the OCR service is publicly accessible. Multiple requests can completely deny service availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66909
EUVD
EUVD-2025-204541
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
turms turms_ai_serving 0.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an image decompression bomb denial of service in the Turms AI-Serving module v0.10.0-SNAPSHOT and earlier. The ExtendedOpenCVImage class loads images using OpenCV's imread() function without validating image dimensions or pixel count before decompression. An attacker can upload a specially crafted compressed image file that is small in size but expands to consume gigabytes of memory when decompressed. This causes memory exhaustion, leading to an OutOfMemoryError and crashing the service. No authentication is required if the OCR service is publicly accessible, allowing multiple requests to cause a complete denial of service.

Impact Analysis

This vulnerability can cause immediate memory exhaustion on the server running the Turms AI-Serving module, resulting in service crashes and denial of service. If the OCR service is publicly accessible, attackers can exploit this by sending multiple specially crafted images, potentially making the service completely unavailable to legitimate users.

Mitigation Strategies

To mitigate this vulnerability, you should restrict or disable public access to the OCR service to prevent unauthenticated attackers from uploading malicious images. Additionally, implement validation checks on image dimensions and pixel counts before decompression to avoid memory exhaustion. Monitoring and limiting the size of uploaded images can also help prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart