CVE-2025-31162 is a vulnerability identified in the fig2dev utility, part of the xfig suite, version 3.2.9a. The root cause is a floating point exception triggered within the get_slope function when processing certain local input data. This vulnerability falls under CWE-369 (Divide By Zero), indicating that improper handling of numerical input leads to an exception that can crash the application. Exploitation requires local access with low privileges and does not require user interaction, making it a local denial of service (DoS) vector. The vulnerability impacts availability by causing the fig2dev process to terminate unexpectedly, potentially disrupting workflows that depend on this tool for converting fig files to other graphical formats. The CVSS v3.1 score of 6.6 reflects a medium severity, with attack vector local (AV:L), attack complexity low (AC:L), privileges required low (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality (C:L), integrity (I:L), and availability (A:H). No public exploits or patches are currently available, but the vulnerability is published and recognized by the CVE database. Given fig2dev's niche usage primarily in Unix-like environments for graphical file conversion, the attack surface is limited to local users with access to the system running the vulnerable version.

For European organizations, the primary impact of CVE-2025-31162 is the potential for local denial of service on systems running fig2dev 3.2.9a. This can disrupt workflows in academic institutions, research labs, engineering firms, and any organizations relying on xfig for graphical file conversions. While the vulnerability does not allow remote exploitation or privilege escalation, it can be leveraged by malicious insiders or compromised local accounts to cause service interruptions. This may lead to productivity loss, delays in project deliverables, and potential cascading effects if fig2dev is part of automated pipelines. Confidentiality and integrity impacts are low, but availability impact is high for affected systems. The limited attack vector reduces the overall risk but does not eliminate it, especially in environments with multiple users or shared workstations. Organizations with strict uptime requirements or those using fig2dev in critical processes should prioritize mitigation.

Since no official patch is currently available, organizations should implement the following mitigations: 1) Restrict local access to systems running fig2dev 3.2.9a to trusted users only, minimizing the risk of malicious input. 2) Employ input validation or sanitization wrappers around fig2dev invocations to detect and prevent malformed input that could trigger the floating point exception. 3) Monitor system logs and application behavior for crashes related to fig2dev and investigate any anomalies promptly. 4) Consider isolating fig2dev usage in sandboxed or containerized environments to limit impact scope. 5) Stay alert for vendor updates or patches and apply them immediately upon release. 6) Educate local users about the risks of running untrusted input through fig2dev. 7) If feasible, replace fig2dev with alternative tools that do not have this vulnerability until a fix is available.