CVE-2025-32025 – github.com/bep/imagemeta

Package

Manager: go
Name: github.com/bep/imagemeta
Vulnerable Version: >=0 <0.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.0002 pctl0.03585

Details

bep/imagemeta allows a potentially large memory allocation in PNG and WebP parsing ### Impact The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before `v0.11.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.11.0` added a 10 MB upper limit.

Metadata

Created: 2025-04-09T12:57:56Z
Modified: 2025-04-09T12:57:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-fmhh-rw3h-785m/GHSA-fmhh-rw3h-785m.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-fmhh-rw3h-785m
Finding: F029
Auto approve: 1