Skip to main content

CVE-2025-54874: CWE-457: Use of Uninitialized Variable in uclouvain openjpeg

Medium
VulnerabilityCVE-2025-54874cvecve-2025-54874cwe-457
Published: Tue Aug 05 2025 (08/05/2025, 14:33:17 UTC)
Source: CVE Database V5
Vendor/Project: uclouvain
Product: openjpeg

Description

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and earlier, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

AI-Powered Analysis

AILast updated: 08/05/2025, 15:02:46 UTC

Technical Analysis

CVE-2025-54874 is a vulnerability identified in the open-source JPEG 2000 codec library OpenJPEG, specifically in versions 2.5.3 and earlier. The issue arises from the use of an uninitialized variable within the function opj_jp2_read_header. When this function processes a JPEG 2000 data stream (p_stream) that is shorter than expected, and the image structure (p_image) is not properly initialized, it can lead to an out-of-bounds (OOB) heap memory write. This memory corruption occurs because the function attempts to write data beyond the allocated buffer boundaries, potentially overwriting adjacent memory regions. The vulnerability is classified under CWE-457, which concerns the use of uninitialized variables, a common programming error that can lead to unpredictable behavior and security risks. The CVSS v4.0 base score for this vulnerability is 6.6, indicating a medium severity level. The vector string (AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P) shows that the attack requires local access (AV:L), has low complexity (AC:L), partial attack type (AT:P), no privileges required (PR:N), no user interaction (UI:N), and results in high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Exploitation is possible but requires local access, and no known exploits are currently reported in the wild. The vulnerability could be triggered by processing crafted JPEG 2000 images with truncated or malformed data streams, causing the vulnerable function to write beyond allocated memory, potentially leading to application crashes, data corruption, or code execution in a local context. OpenJPEG is widely used in various imaging applications, digital libraries, and document processing systems that handle JPEG 2000 images, making this vulnerability relevant for software relying on this codec for image decoding or rendering.

Potential Impact

For European organizations, the impact of CVE-2025-54874 depends largely on their use of OpenJPEG within their software stacks. Industries such as digital archiving, medical imaging, publishing, and government agencies that process JPEG 2000 images may be particularly affected. The vulnerability allows local attackers to cause heap memory corruption, which could lead to denial of service (application crashes) or potentially escalate to arbitrary code execution if exploited successfully. This could compromise the confidentiality, integrity, and availability of systems handling sensitive image data. Given the local attack vector, the threat is more significant in environments where untrusted users have local access, such as shared workstations or multi-user systems. In sectors like healthcare or public administration, where image data integrity is critical, exploitation could disrupt operations or lead to data breaches. Additionally, if OpenJPEG is embedded in client-side applications used by European enterprises, crafted malicious images could be used as an attack vector if local users open or process such files. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks. Organizations relying on OpenJPEG should assess their exposure, especially if they handle untrusted image data or operate in environments with multiple local users.

Mitigation Recommendations

To mitigate CVE-2025-54874, European organizations should: 1) Upgrade OpenJPEG to a version later than 2.5.3 once a patch is released, as no patch links are currently available. 2) Until patched, implement strict input validation and sanitization for JPEG 2000 images, rejecting files with suspiciously short or malformed data streams to prevent triggering the vulnerability. 3) Restrict local access to systems processing JPEG 2000 images, limiting the ability of untrusted users to execute code or supply crafted images. 4) Employ application whitelisting and sandboxing for software using OpenJPEG to contain potential exploitation impact. 5) Monitor logs and application behavior for crashes or anomalies related to image processing, which could indicate attempted exploitation. 6) Coordinate with software vendors and developers to ensure timely updates and secure coding practices are applied in future releases. 7) Educate users about the risks of opening untrusted JPEG 2000 files, especially in environments where local access is shared or less controlled.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-31T17:23:33.473Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68921990ad5a09ad00e9cbb9

Added to database: 8/5/2025, 2:47:44 PM

Last enriched: 8/5/2025, 3:02:46 PM

Last updated: 8/18/2025, 6:48:49 AM

Views: 24

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats