CVE-2025-54874 is a vulnerability identified in the OpenJPEG open-source JPEG 2000 codec maintained by the uclouvain project. The issue arises from the use of an uninitialized variable (CWE-457) within the function opj_jp2_read_header in versions 2.5.1 through 2.5.3. Specifically, when the input data stream (p_stream) is shorter than expected and the p_image structure is not properly initialized before use, the function may perform an out-of-bounds (OOB) heap memory write. This memory corruption can lead to undefined behavior including application crashes or potentially exploitable conditions for remote code execution or privilege escalation, depending on the context in which OpenJPEG is used. The CVSS 4.0 score of 6.6 reflects a medium severity with local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The vulnerability does not require authentication or user interaction but is limited to local attackers who can supply crafted JPEG 2000 images to the vulnerable library. No patches or exploit code are currently publicly available, and no known exploits have been reported in the wild. The vulnerability affects any software or systems that incorporate OpenJPEG versions 2.5.1 to 2.5.3 for JPEG 2000 image decoding, including multimedia applications, medical imaging software, and other image processing tools.

The vulnerability can lead to out-of-bounds heap memory writes, which may cause application crashes, denial of service, or potentially enable attackers to execute arbitrary code or corrupt data. Since OpenJPEG is widely used in image processing applications, including medical imaging, digital archiving, and multimedia software, exploitation could disrupt critical services or compromise sensitive information. The local attack vector limits remote exploitation but systems that process untrusted JPEG 2000 images locally or in automated workflows are at risk. The high impact on confidentiality, integrity, and availability means that successful exploitation could lead to data breaches, system instability, or further compromise of the host environment. Organizations relying on OpenJPEG in critical infrastructure or sensitive environments face increased risk, especially if they process untrusted image files. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation once proof-of-concept code becomes available.

Organizations should immediately identify and inventory all systems and applications using OpenJPEG versions 2.5.1 through 2.5.3. Since no official patches are currently available, consider upgrading to a later, fixed version of OpenJPEG once released by the vendor. In the interim, apply strict input validation and sanitization on JPEG 2000 files, especially those from untrusted sources, to prevent malformed data from reaching vulnerable code paths. Employ sandboxing or isolation techniques for applications processing JPEG 2000 images to limit the impact of potential exploitation. Monitor logs and application behavior for signs of memory corruption or crashes related to image processing. Coordinate with software vendors and maintain awareness of updates or patches addressing this vulnerability. Additionally, implement strict access controls to limit local user ability to supply malicious files to vulnerable applications. Finally, consider using alternative image codecs or libraries with no known vulnerabilities if immediate patching is not feasible.