CVE-2025-66617 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) affecting the EMF functionality in Canva Affinity version 3.0.1.3808. The flaw arises when the software processes specially crafted Enhanced Metafile (EMF) files, leading to an out-of-bounds read condition. This can cause the application to read memory beyond the intended buffer boundaries, potentially exposing sensitive information stored in adjacent memory regions. The vulnerability requires the victim to open a malicious EMF file, implying user interaction is necessary, and the attack vector is local (AV:L). No privileges are required to exploit this vulnerability (PR:N), but the attacker must convince the user to open the file (UI:R). The CVSS 3.1 base score is 6.1, reflecting a high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). There are no known exploits in the wild, and no patches have been published at the time of analysis. The vulnerability could be leveraged by attackers to leak sensitive data from the application's memory, which might include user data or application secrets. Since the vulnerability is in a graphic design tool widely used for content creation, the attack surface includes designers and organizations handling EMF files. The lack of patches necessitates interim mitigations to reduce risk. The vulnerability was reserved in December 2025 and published in March 2026, indicating recent discovery and disclosure.

The primary impact of CVE-2025-66617 is the potential disclosure of sensitive information due to an out-of-bounds read in Canva Affinity's EMF processing. This can lead to leakage of confidential data residing in memory, which may include user credentials, proprietary design data, or other sensitive information. Although the vulnerability does not affect data integrity or cause significant availability disruption, the confidentiality breach can have serious consequences, especially for organizations handling sensitive or proprietary graphic content. The requirement for user interaction and local access limits remote exploitation, but social engineering or phishing could be used to trick users into opening malicious EMF files. The medium severity rating reflects this balance of impact and exploitation complexity. Organizations relying on Canva Affinity for design workflows may face risks of data leakage, reputational damage, and compliance issues if sensitive information is exposed. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict or disable the use of EMF files within Canva Affinity by configuring application settings or using endpoint security controls to block or quarantine EMF files from untrusted sources. 2) Educate users to avoid opening EMF files from unknown or suspicious origins, emphasizing the risk of social engineering attacks. 3) Employ file integrity monitoring and endpoint detection solutions to identify attempts to open or execute malicious EMF files. 4) Use application whitelisting and sandboxing techniques to isolate Canva Affinity processes and limit the impact of potential exploitation. 5) Monitor network and system logs for unusual activity related to file handling or memory access anomalies. 6) Prepare for rapid deployment of patches once available by maintaining an up-to-date asset inventory and patch management process. 7) Consider converting EMF files to safer formats before use if possible, reducing exposure to the vulnerable code path. These targeted steps go beyond generic advice by focusing on controlling EMF file usage and enhancing detection capabilities specific to this vulnerability.