CVE-2025-32024 – github.com/bep/imagemeta

Package

Manager: go
Name: github.com/bep/imagemeta
Vulnerable Version: >=0 <0.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0002 pctl0.03585

Details

bep/imagemeta allows excessively large EXIF data structures ### Impact The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before `v0.10.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.10.0` added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

Metadata

Created: 2025-04-09T12:57:44Z
Modified: 2025-04-09T12:57:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-q7rw-w4cq-2j6w/GHSA-q7rw-w4cq-2j6w.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-q7rw-w4cq-2j6w
Finding: F029
Auto approve: 1