CVE-2025-61952 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) found in the EMF processing component of Canva Affinity version 3.0.1.3808. The flaw arises when the application processes a maliciously crafted Enhanced Metafile (EMF), causing it to read memory beyond the intended buffer boundaries. This out-of-bounds read can result in the disclosure of sensitive information residing in adjacent memory areas. The vulnerability requires no privileges to exploit but does require user interaction, specifically opening or importing a malicious EMF file. The attack vector is local (AV:L), meaning the attacker must have access to deliver the file to the victim, such as via email or file sharing. The CVSS v3.1 score is 6.1, reflecting high confidentiality impact, no integrity or availability impact, low attack complexity, no privileges required, and user interaction needed. There are no known public exploits or patches at the time of publication. The vulnerability is significant because EMF files are commonly used in graphic design workflows, and Canva Affinity is a popular design tool. An attacker could leverage this flaw to extract sensitive data from the victim’s memory, potentially including credentials or other private information. However, the lack of code execution limits the scope to information disclosure only.

The primary impact of CVE-2025-61952 is the potential unauthorized disclosure of sensitive information from the memory of systems running Canva Affinity 3.0.1.3808. This could include confidential user data, credentials, or proprietary information that resides in memory adjacent to the EMF processing buffers. While the vulnerability does not allow modification of data or denial of service, the confidentiality breach could facilitate further attacks such as phishing, credential theft, or corporate espionage. Organizations relying on Canva Affinity for design work, especially those handling sensitive or proprietary graphics, intellectual property, or client data, face risks of data leakage. The requirement for user interaction means social engineering or targeted delivery of malicious EMF files is necessary, which may limit widespread exploitation but increases risk in targeted attacks. The absence of known exploits reduces immediate threat but also means organizations should proactively prepare. The impact is more pronounced in sectors with high confidentiality requirements such as government, finance, legal, and creative industries.

To mitigate CVE-2025-61952, organizations should implement the following specific measures: 1) Restrict the acceptance and opening of EMF files from untrusted or unknown sources within Canva Affinity workflows to reduce exposure to malicious files. 2) Educate users on the risks of opening unsolicited or suspicious EMF files, emphasizing cautious handling of email attachments and downloads. 3) Monitor and filter inbound files at the email gateway and endpoint security solutions to detect and block potentially malicious EMF files. 4) Maintain strict access controls and network segmentation to limit the ability of attackers to deliver malicious files to targeted users. 5) Once the vendor releases a patch or update addressing this vulnerability, prioritize timely deployment across all affected systems. 6) Employ memory protection and application sandboxing technologies where possible to limit the impact of out-of-bounds reads. 7) Conduct regular security awareness training focused on social engineering tactics that could be used to deliver malicious files. 8) Implement endpoint detection and response (EDR) solutions to identify anomalous application behavior related to file processing. These targeted steps go beyond generic advice by focusing on file handling policies, user education, and layered defenses specific to the nature of this vulnerability.