CVE-2025-54080

Exiv2 Segmentation Faults in Exiv2::EpsImage::writeMetadata() via crafted EPS file

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.

References

Link	Tags
https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39
https://github.com/Exiv2/exiv2/commit/e737332427711f15bcdc4e903203d6b7493eaec0

Frequently Asked Questions

What is the severity of CVE-2025-54080?: CVE-2025-54080 has been scored as a low severity vulnerability.
How to fix CVE-2025-54080?: To fix CVE-2025-54080, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-54080 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-54080 is being actively exploited.
What software or system is affected by CVE-2025-54080?: CVE-2025-54080 affects Exiv2 exiv2.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-125 – Out-of-bounds Read

References

Frequently Asked Questions