CVE-2025-64733 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) found in the Enhanced Metafile (EMF) functionality of Canva Affinity, specifically version 3.0.1.3808. The vulnerability arises when the software processes a specially crafted EMF file, leading to an out-of-bounds read condition. This means the program reads memory locations outside the allocated buffer, which can result in the disclosure of sensitive information stored in adjacent memory. The vulnerability does not allow code execution or modification of data but compromises confidentiality by leaking potentially sensitive data. Exploitation requires the victim to open a malicious EMF file, indicating user interaction is necessary. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), none on integrity (I:N), and low on availability (A:L). No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw is significant for environments where Canva Affinity is used to handle EMF files, especially in creative and design workflows.

The primary impact of CVE-2025-64733 is unauthorized disclosure of sensitive information due to out-of-bounds memory reads. This can lead to leakage of confidential data such as user credentials, proprietary design elements, or other sensitive in-memory information. While the vulnerability does not allow code execution or system compromise, the confidentiality breach can facilitate further attacks or data exfiltration. Organizations relying on Canva Affinity for design and content creation may face risks related to intellectual property theft or exposure of private information. The requirement for user interaction and local access limits remote exploitation, reducing the overall attack surface. However, targeted spear-phishing campaigns delivering malicious EMF files could exploit this vulnerability. The lack of available patches increases the window of exposure. The impact on system integrity and availability is minimal, but the confidentiality impact is significant enough to warrant attention.

1. Avoid opening EMF files from untrusted or unknown sources within Canva Affinity until a patch is released. 2. Implement strict file validation and scanning for EMF files at the gateway or endpoint level to detect malicious content. 3. Use application sandboxing or containerization to isolate Canva Affinity processes, limiting memory exposure. 4. Monitor user activities and file access logs for suspicious behavior related to EMF file handling. 5. Educate users about the risks of opening unsolicited or unexpected EMF files, especially from email attachments or downloads. 6. Coordinate with Canva for timely updates and apply patches as soon as they become available. 7. Consider disabling EMF file support if not required for business operations to reduce attack surface. 8. Employ memory protection mechanisms and endpoint detection tools that can identify abnormal memory access patterns.