Skip to main content

CVE-2025-47105: Out-of-bounds Read (CWE-125) in Adobe InDesign Desktop

Medium
VulnerabilityCVE-2025-47105cvecve-2025-47105cwe-125
Published: Tue Jun 10 2025 (06/10/2025, 16:23:01 UTC)
Source: CVE Database V5
Vendor/Project: Adobe
Product: InDesign Desktop

Description

InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AI-Powered Analysis

AILast updated: 07/10/2025, 21:47:16 UTC

Technical Analysis

CVE-2025-47105 is an out-of-bounds read vulnerability (CWE-125) affecting Adobe InDesign Desktop versions ID20.2, ID19.5.3, and earlier. This vulnerability allows an attacker to read memory outside the intended buffer boundaries, potentially disclosing sensitive information from the process memory space. The flaw can be exploited when a user opens a specially crafted malicious InDesign file, which triggers the out-of-bounds read condition. Notably, this vulnerability can be leveraged to bypass security mitigations such as Address Space Layout Randomization (ASLR), which is designed to prevent attackers from reliably predicting memory addresses. The vulnerability does not allow code execution or modification of data but compromises confidentiality by leaking sensitive memory contents. The CVSS v3.1 base score is 5.5 (medium severity), reflecting that the attack vector requires local access (AV:L), no privileges (PR:N), but user interaction (UI:R) is mandatory. The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability affects widely used versions of Adobe InDesign Desktop, a professional desktop publishing software commonly used in creative industries for layout design and publishing tasks.

Potential Impact

For European organizations, particularly those in media, publishing, advertising, and design sectors that rely heavily on Adobe InDesign Desktop, this vulnerability poses a risk of sensitive information leakage. The disclosed memory could contain confidential project data, intellectual property, or other sensitive information that could be leveraged for further attacks or corporate espionage. Although the vulnerability does not allow direct code execution or system compromise, the ability to bypass ASLR reduces the effectiveness of memory protection mechanisms, potentially facilitating more complex multi-stage attacks if combined with other vulnerabilities. The requirement for user interaction (opening a malicious file) means that targeted phishing or social engineering campaigns could be used to exploit this vulnerability. Organizations handling sensitive or proprietary design content may face confidentiality breaches, reputational damage, and potential regulatory compliance issues under GDPR if personal or sensitive data is exposed.

Mitigation Recommendations

European organizations should implement a multi-layered approach to mitigate this vulnerability. First, they should monitor Adobe’s official channels closely for patches or updates addressing CVE-2025-47105 and apply them promptly once available. Until a patch is released, organizations should restrict the opening of InDesign files from untrusted or unknown sources and educate users about the risks of opening unsolicited or suspicious files. Deploying endpoint protection solutions that can detect anomalous behavior related to file parsing or memory access in InDesign may help identify exploitation attempts. Network-level controls such as email filtering and attachment sandboxing should be enhanced to block or analyze potentially malicious InDesign files. Additionally, enforcing the principle of least privilege by limiting user permissions can reduce the impact of exploitation. Regular backups and incident response plans should be updated to include scenarios involving InDesign-related attacks. Finally, organizations should consider isolating or sandboxing InDesign usage environments to contain potential memory disclosure risks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
adobe
Date Reserved
2025-04-30T20:47:55.001Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f531b0bd07c39389e70

Added to database: 6/10/2025, 6:54:11 PM

Last enriched: 7/10/2025, 9:47:16 PM

Last updated: 8/1/2025, 9:39:57 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats