CVE-2019-25552
Received Received - Intake
Denial of Service via Buffer Overflow in CEWE PHOTO SHOW

Publication date: 2026-03-21

Last updated on: 2026-04-10

Assigner: VulnCheck

Description
CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an application crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25552
EUVD
EUVD-2019-19852
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cewe photo_show 6.4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-836 The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25552 is a denial of service (DoS) vulnerability in CEWE PHOTO SHOW version 6.4.3 and earlier. It occurs when an attacker submits an excessively long input string to the password field during the upload process. This large input causes the application to crash due to improper handling of large input buffers, effectively making the application unavailable.

The root cause is a buffer overflow condition triggered by pasting a large string of repeated characters into the password input, which the application fails to properly validate or limit.

Impact Analysis

This vulnerability can impact you by causing the CEWE PHOTO SHOW application to crash, resulting in a denial of service. Attackers can exploit this by submitting a very long password input, which disrupts normal operation and prevents legitimate users from using the application.

The CVSS v4 base score of 8.7 indicates a high severity, with the attack requiring no privileges or user interaction and having a network attack vector. The impact is primarily on confidentiality, as indicated by the CVSS vector.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the denial of service condition on CEWE PHOTO SHOW version 6.4.3 by submitting an excessively long string to the password field during the upload process.'}, {'type': 'paragraph', 'content': "A proof-of-concept exploit involves running a Python script that generates a file containing a large buffer of repeated characters (e.g., 5000 'A's), copying this buffer to the clipboard, and then pasting it into the password field of the application during upload to observe if the application crashes."}, {'type': 'list_item', 'content': 'Run the Python script "photoshow.py" to create a file "photoshow.txt" with a large buffer.'}, {'type': 'list_item', 'content': 'Copy the contents of "photoshow.txt" to the clipboard.'}, {'type': 'list_item', 'content': 'Open CEWE PHOTO SHOW 6.4.3 and click the "Upload" button.'}, {'type': 'list_item', 'content': 'Paste the clipboard content into the password field and check if the application crashes.'}] [3]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of CEWE PHOTO SHOW version 6.4.3 or earlier until a patch or update is available that properly handles large input buffers in the password field.

As a temporary measure, restrict or sanitize input to the password field to prevent excessively long strings from being submitted.

Monitor application usage and logs for unusual or repeated attempts to submit large password inputs that could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart