CVE-2025-66617 is classified as a CWE-125 out-of-bounds read vulnerability affecting the Enhanced Metafile (EMF) processing functionality in Canva Affinity version 3.0.1.3808. The vulnerability arises when the application processes specially crafted EMF files that contain data designed to cause the software to read memory beyond the intended buffer boundaries. This out-of-bounds read can lead to the disclosure of sensitive information residing in adjacent memory areas, potentially exposing confidential data to an attacker. The vulnerability requires the victim to open or interact with a malicious EMF file, implying user interaction is necessary. The attack vector is local (AV:L), meaning the attacker must have some level of access to deliver the malicious file, but no privileges are required (PR:N). The attack complexity is low (AC:L), indicating that exploitation does not require specialized conditions beyond user interaction. The vulnerability does not impact integrity or availability but has a high impact on confidentiality. No known exploits have been observed in the wild, and no patches have been released as of the publication date. The vulnerability was reserved in December 2025 and published in March 2026. The lack of a patch means users must rely on mitigations such as avoiding untrusted EMF files and monitoring for suspicious activity. Given Canva Affinity's use in creative and design workflows, the vulnerability could be leveraged to extract sensitive design data or intellectual property if exploited.

The primary impact of CVE-2025-66617 is the potential unauthorized disclosure of sensitive information due to out-of-bounds memory reads. For organizations, this could mean leakage of confidential design files, proprietary information, or user data embedded within Canva Affinity projects. Although the vulnerability does not allow code execution or system compromise, the confidentiality breach could have significant consequences, including intellectual property theft, exposure of sensitive client data, or competitive disadvantage. The requirement for local access and user interaction limits the attack surface, but social engineering or phishing campaigns could be used to trick users into opening malicious EMF files. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. Organizations relying heavily on Canva Affinity for design and creative work, especially in sectors like marketing, media, and product development, may face increased risk. The medium severity rating reflects the moderate but non-trivial risk posed by this vulnerability.

1. Restrict the opening of EMF files from untrusted or unknown sources within Canva Affinity. 2. Educate users about the risks of opening unsolicited or suspicious EMF files, emphasizing caution with email attachments and downloads. 3. Implement application whitelisting or sandboxing techniques to isolate Canva Affinity processes and limit the impact of potential exploits. 4. Monitor network and endpoint logs for unusual activity related to Canva Affinity, such as unexpected file accesses or crashes. 5. Use endpoint protection solutions capable of detecting anomalous behavior or memory access patterns indicative of exploitation attempts. 6. Engage with Canva support or vendor channels to obtain updates or patches as soon as they become available. 7. Consider disabling or limiting EMF file support within Canva Affinity if feasible, or convert EMF files to safer formats before use. 8. Maintain regular backups of design files to prevent data loss in case of exploitation or related incidents.