CVE-2025-65119 is a medium severity vulnerability classified as CWE-125 (Out-of-bounds Read) affecting the EMF (Enhanced Metafile) processing functionality in Canva Affinity version 3.0.1.3808. The flaw arises when the application processes a specially crafted EMF file, leading to an out-of-bounds read condition. This means the software reads memory outside the allocated buffer boundaries, potentially exposing sensitive information stored in adjacent memory regions. The vulnerability does not allow code execution or modification of data but can leak confidential information, impacting confidentiality. Exploitation requires user interaction, specifically opening or importing a malicious EMF file, and does not require any privileges, making it accessible to unprivileged attackers. The CVSS v3.1 score is 6.1, reflecting a medium risk with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope remains unchanged (S:U), with high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. This vulnerability is significant for organizations that use Canva Affinity for graphic design, especially when handling EMF files from untrusted sources. Attackers could leverage this to extract sensitive data from memory, potentially including user data or application internals.

The primary impact of CVE-2025-65119 is the potential disclosure of sensitive information due to out-of-bounds memory reads. While it does not allow code execution or system compromise, leaking confidential data can lead to privacy violations, intellectual property exposure, or leakage of sensitive user information. For organizations, this could result in data breaches, regulatory non-compliance, and reputational damage. The requirement for user interaction limits mass exploitation but targeted attacks against high-value users or organizations remain a concern. The vulnerability affects availability minimally and does not affect data integrity. Since Canva Affinity is used globally in creative industries, marketing, and design sectors, organizations relying on this software for sensitive projects or client data are at risk. The absence of known exploits reduces immediate threat but does not eliminate future risk once exploit code becomes available.

Organizations should implement several specific mitigations to reduce risk from CVE-2025-65119: 1) Avoid opening or importing EMF files from untrusted or unknown sources within Canva Affinity until a patch is available. 2) Employ endpoint security solutions capable of scanning and blocking malicious EMF files. 3) Use application whitelisting and sandboxing to isolate Canva Affinity processes, limiting potential data exposure. 4) Monitor for official patches or updates from Canva and apply them promptly once released. 5) Educate users about the risks of opening unsolicited or suspicious EMF files. 6) Consider disabling or restricting EMF file support in Canva Affinity if feasible. 7) Implement network-level controls to detect and block delivery of malicious EMF files via email or file sharing platforms. These targeted actions go beyond generic advice by focusing on the specific attack vector and software environment.