CVE-2025-54874 is a medium-severity vulnerability identified in the open-source JPEG 2000 codec library OpenJPEG, specifically versions 2.5.1 through 2.5.3. The vulnerability arises from the use of an uninitialized variable within the function opj_jp2_read_header. When this function processes a JPEG 2000 data stream (p_stream) that is too short, and the image structure (p_image) is not properly initialized, it can lead to an out-of-bounds (OOB) heap memory write. This memory corruption occurs because the code attempts to write data beyond the allocated buffer boundaries, potentially overwriting adjacent memory. The vulnerability is classified under CWE-457, which pertains to the use of uninitialized variables, a common programming error that can lead to unpredictable behavior and security issues. The CVSS 4.0 base score is 6.6, indicating a medium severity level. The vector details show that the attack vector is local (AV:L), requiring low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). However, the attack requires physical or logical local access to the vulnerable system (local vector), and the exploitability is partial (E:P). The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H), meaning successful exploitation could lead to significant compromise of the system. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability affects the uclouvain OpenJPEG project, a widely used library for encoding and decoding JPEG 2000 images, which is integrated into various software products and systems that handle image processing, including document viewers, medical imaging software, and digital asset management systems.

For European organizations, the impact of CVE-2025-54874 can be significant, especially those relying on software that incorporates the vulnerable OpenJPEG versions for image processing tasks. This includes sectors such as healthcare (medical imaging), digital media, publishing, and government agencies that handle large volumes of JPEG 2000 images. Exploitation of this vulnerability could allow an attacker with local access to cause memory corruption, potentially leading to arbitrary code execution, system crashes, or data corruption. This could compromise the confidentiality and integrity of sensitive data, disrupt critical services, and lead to denial of service conditions. Given the local attack vector, the threat is more pronounced in environments where untrusted users have local or network-level access to systems processing JPEG 2000 images. The high impact on confidentiality, integrity, and availability means that successful exploitation could facilitate further lateral movement or privilege escalation within organizational networks. Although no exploits are currently known in the wild, the presence of this vulnerability in a widely used open-source library necessitates proactive risk management to prevent future exploitation.

European organizations should take the following specific and practical steps to mitigate the risk posed by CVE-2025-54874: 1) Inventory and identify all software and systems that utilize OpenJPEG versions 2.5.1 through 2.5.3, including embedded applications and third-party products. 2) Monitor the uclouvain OpenJPEG project and related security advisories for the release of patches or updated versions that address this vulnerability, and prioritize timely patching once available. 3) In the interim, implement strict access controls to limit local access to systems processing JPEG 2000 images, reducing the risk of local exploitation. 4) Employ application whitelisting and runtime protections such as memory safety tools (e.g., AddressSanitizer, Control Flow Integrity) to detect and prevent exploitation attempts. 5) Conduct code reviews and testing for custom integrations of OpenJPEG to ensure proper initialization of image structures and validate input stream lengths to prevent malformed data from triggering the vulnerability. 6) Enhance monitoring and logging on affected systems to detect anomalous behaviors indicative of exploitation attempts, such as crashes or unexpected memory errors. 7) Educate system administrators and security teams about the vulnerability and its local attack vector to ensure awareness and readiness to respond to incidents.