Fluid Attacks Database

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	exiv2	=0.28.5+dfsg-1 \|\| =0.28.7+dfsg-1 \|\| =0.28.7+dfsg-2 \|\| =0.28.8+dfsg-1	-
debian 11	exiv2	=0.27.3-3 \|\| =0.27.3-3+deb11u1 \|\| =0.27.3-3+deb11u2 \|\| =0.27.3-3.1 \|\| =0.27.5-1 \|\| =0.27.5-2 \|\| =0.27.5-3 \|\| =0.27.5-4 \|\| =0.27.6-1 \|\| =0.28.0+dfsg-1 \|\| =0.28.0+dfsg-2 \|\| =0.28.0+dfsg-3 \|\| =0.28.0+dfsg-4 \|\| =0.28.1+dfsg-1 \|\| =0.28.1+dfsg-2 \|\| =0.28.1+dfsg-3 \|\| =0.28.2+dfsg-1 \|\| =0.28.3+dfsg-1 \|\| =0.28.3+dfsg-2 \|\| =0.28.4+dfsg-1 \|\| =0.28.4+dfsg-2 \|\| =0.28.5+dfsg-1 \|\| =0.28.7+dfsg-1 \|\| =0.28.7+dfsg-2 \|\| =0.28.8+dfsg-1	-
debian 12	exiv2	=0.27.6-1 \|\| =0.28.0+dfsg-1 \|\| =0.28.0+dfsg-2 \|\| =0.28.0+dfsg-3 \|\| =0.28.0+dfsg-4 \|\| =0.28.1+dfsg-1 \|\| =0.28.1+dfsg-2 \|\| =0.28.1+dfsg-3 \|\| =0.28.2+dfsg-1 \|\| =0.28.3+dfsg-1 \|\| =0.28.3+dfsg-2 \|\| =0.28.4+dfsg-1 \|\| =0.28.4+dfsg-2 \|\| =0.28.5+dfsg-1 \|\| =0.28.7+dfsg-1 \|\| =0.28.7+dfsg-2 \|\| =0.28.8+dfsg-1	-
debian 14	exiv2	=0.28.5+dfsg-1 \|\| =0.28.7+dfsg-1 \|\| >=0 <0.28.7+dfsg-2	0.28.7+dfsg-2
pypi	exiv2	>=0 <=0.17.3	0.17.5
rpm rhel7	compat-exiv2-026	-	-
rpm rhel7	compat-exiv2-023	-	-
rpm rhel8	compat-exiv2-026	-	-
rpm rhel10	exiv2	-	-
rpm rhel6	exiv2	-	-

1-10 of 13

Aliases

1. CVE-2025-553042. NVD-2025-553043. OSV-DEBIAN-2025-553044. OSV-2025-553045. GHSA-m54q-mm9w-fp6g6. GCVE-2025-553047. SECURITY-TRACKER-CVE-2025-55304

References

1. https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g2. https://github.com/Exiv2/exiv2/issues/33333. https://github.com/Exiv2/exiv2/pull/33354. https://github.com/Exiv2/exiv2/pull/3345

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.