CVE-2025-55304

Aug. 29, 2025, 4:24 p.m.

1.8
Low

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

Product(s) Impacted

Vendor Product Versions
Exiv2
  • Exiv2
  • 0.28.5, 0.28.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-407
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a exiv2 exiv2 0.28.5 / / / / / / /
a exiv2 exiv2 0.28.6 / / / / / / /

References

https://github.com/Exiv2/exiv2/issues/3333
https://github.com/Exiv2/exiv2/pull/3335
https://github.com/Exiv2/exiv2/pull/3345
https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g

Tags

security-advisories@github.com
CWE-407
2025-08-29
CVE-2025-55304

CVSS Score

1.8 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: ACTIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: LOW
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Aug. 29, 2025, 3:15 p.m.
Last Modified: Aug. 29, 2025, 4:24 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.