CVE-2025-64735 is classified as a CWE-125 out-of-bounds read vulnerability affecting the EMF functionality in Canva Affinity version 3.0.1.3808. The vulnerability arises when the software processes specially crafted EMF files, which are a vector graphics file format used primarily on Windows platforms. An attacker can exploit this flaw by convincing a user to open or import a malicious EMF file, causing the application to read memory outside the intended buffer boundaries. This out-of-bounds read can result in the exposure of sensitive information residing in adjacent memory areas, potentially leaking confidential data such as cryptographic keys, user credentials, or other private information. The attack vector is local, meaning the attacker must have the ability to deliver the malicious file to the victim and require user interaction to open it. No privileges are required, which lowers the barrier for exploitation. The vulnerability does not allow for code execution or denial of service but compromises confidentiality. The CVSS v3.1 base score of 6.1 reflects a medium severity level, primarily due to the high confidentiality impact but limited scope and complexity. As of the publication date, no public exploits or patches are available, indicating that organizations should monitor for updates from Canva and consider interim mitigations. The vulnerability highlights the risks associated with processing complex file formats like EMF without sufficient bounds checking.

The primary impact of CVE-2025-64735 is the potential unauthorized disclosure of sensitive information from the memory of affected systems running Canva Affinity 3.0.1.3808. For organizations, this could lead to leakage of confidential data, including intellectual property or user credentials, depending on what resides in the exposed memory regions. Although the vulnerability does not allow code execution or system compromise, information disclosure can facilitate further attacks such as social engineering or privilege escalation. The requirement for local access and user interaction limits the attack surface but does not eliminate risk, especially in environments where users frequently exchange graphic files. Industries relying on Canva Affinity for design work, including marketing, media, and creative agencies, could be targeted to extract sensitive project data. The absence of known exploits reduces immediate risk, but the medium severity score and potential for sensitive data leakage necessitate proactive measures. Organizations with strict data confidentiality requirements should prioritize mitigation to prevent potential breaches.

To mitigate CVE-2025-64735, organizations should implement a multi-layered approach: 1) Restrict the acceptance and opening of EMF files from untrusted or unknown sources to reduce exposure to malicious files. 2) Educate users about the risks of opening unsolicited or suspicious graphic files, emphasizing caution with EMF files. 3) Employ application whitelisting and sandboxing techniques to isolate Canva Affinity processes, limiting the impact of any exploitation. 4) Monitor for official patches or updates from Canva and apply them promptly once released. 5) Use endpoint detection and response (EDR) tools to detect anomalous behavior related to file processing. 6) Consider disabling or limiting EMF file support in Canva Affinity if feasible until a patch is available. 7) Maintain robust backup and incident response plans to quickly address any potential data leakage incidents. These targeted steps go beyond generic advice by focusing on file handling policies, user awareness, and containment strategies specific to this vulnerability.