CVE-2025-66909: n/a
CVE-2025-66909 is a high-severity denial of service vulnerability in the Turms AI-Serving module (v0. 10. 0-SNAPSHOT and earlier). It arises from improper validation of image dimensions and pixel count during decompression in the ExtendedOpenCVImage class, which uses OpenCV's imread() function. An attacker can upload a crafted compressed image that decompresses to consume excessive memory, causing immediate service crashes due to OutOfMemoryError. No authentication or user interaction is required if the OCR service is publicly accessible, enabling remote attackers to repeatedly trigger service outages. This vulnerability affects availability but does not impact confidentiality or integrity. European organizations using this AI-Serving module in publicly accessible OCR services are at risk of denial of service attacks. Mitigation requires implementing strict validation of image size before decompression, rate limiting, and restricting public access. Countries with higher adoption of AI and OCR technologies in critical infrastructure and services, such as Germany, France, and the UK, are most likely to be affected.
AI Analysis
Technical Summary
CVE-2025-66909 is a denial of service vulnerability found in the Turms AI-Serving module version 0.10.0-SNAPSHOT and earlier. The vulnerability stems from the ExtendedOpenCVImage class, which loads images using OpenCV's imread() function without validating the image's dimensions or pixel count prior to decompression. This lack of validation allows an attacker to craft a compressed image file (e.g., PNG) that is deceptively small in compressed form but expands to consume gigabytes of memory when decompressed. When such an image is processed, it causes immediate memory exhaustion, triggering an OutOfMemoryError and crashing the AI service. Since the OCR service that uses this module may be publicly accessible and does not require authentication, an attacker can remotely exploit this vulnerability by uploading malicious images. Multiple such requests can lead to sustained denial of service, rendering the service unavailable. The vulnerability is classified under CWE-409 (Improper Resource Management) and has a CVSS v3.1 score of 7.5, indicating high severity. The attack vector is network-based with low complexity and no privileges or user interaction required. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability impacts availability exclusively, without affecting confidentiality or integrity.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability of AI-driven OCR services that utilize the Turms AI-Serving module. Organizations relying on automated document processing, identity verification, or other AI-based image analysis services could experience service outages, disrupting business operations and customer-facing services. Critical sectors such as finance, healthcare, government, and telecommunications that deploy OCR for document digitization or verification may face operational downtime. The ease of exploitation and lack of authentication requirements increase the risk of widespread denial of service attacks, potentially leading to reputational damage and financial losses. Additionally, if the affected services are part of larger automated workflows, the disruption could cascade, affecting broader IT infrastructure. Given the growing reliance on AI and machine learning services in Europe, this vulnerability could impact a wide range of industries and public services.
Mitigation Recommendations
To mitigate this vulnerability, organizations should implement strict validation of image dimensions and pixel counts before decompression to prevent resource exhaustion. Specifically, input images should be checked for maximum allowable width, height, and total pixel count, rejecting any images exceeding safe thresholds. Rate limiting and request throttling should be applied to the OCR service endpoints to reduce the risk of repeated exploitation. Access controls should be enforced to restrict public accessibility of the OCR service, ideally requiring authentication and authorization. Monitoring and alerting for abnormal memory usage or service crashes can help detect exploitation attempts early. If possible, update or patch the Turms AI-Serving module once a fix is released. As a temporary workaround, consider isolating the image processing component in a sandboxed environment with strict memory limits to contain potential crashes. Finally, conduct regular security assessments and code reviews focusing on resource management in image processing components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2025-66909: n/a
Description
CVE-2025-66909 is a high-severity denial of service vulnerability in the Turms AI-Serving module (v0. 10. 0-SNAPSHOT and earlier). It arises from improper validation of image dimensions and pixel count during decompression in the ExtendedOpenCVImage class, which uses OpenCV's imread() function. An attacker can upload a crafted compressed image that decompresses to consume excessive memory, causing immediate service crashes due to OutOfMemoryError. No authentication or user interaction is required if the OCR service is publicly accessible, enabling remote attackers to repeatedly trigger service outages. This vulnerability affects availability but does not impact confidentiality or integrity. European organizations using this AI-Serving module in publicly accessible OCR services are at risk of denial of service attacks. Mitigation requires implementing strict validation of image size before decompression, rate limiting, and restricting public access. Countries with higher adoption of AI and OCR technologies in critical infrastructure and services, such as Germany, France, and the UK, are most likely to be affected.
AI-Powered Analysis
Technical Analysis
CVE-2025-66909 is a denial of service vulnerability found in the Turms AI-Serving module version 0.10.0-SNAPSHOT and earlier. The vulnerability stems from the ExtendedOpenCVImage class, which loads images using OpenCV's imread() function without validating the image's dimensions or pixel count prior to decompression. This lack of validation allows an attacker to craft a compressed image file (e.g., PNG) that is deceptively small in compressed form but expands to consume gigabytes of memory when decompressed. When such an image is processed, it causes immediate memory exhaustion, triggering an OutOfMemoryError and crashing the AI service. Since the OCR service that uses this module may be publicly accessible and does not require authentication, an attacker can remotely exploit this vulnerability by uploading malicious images. Multiple such requests can lead to sustained denial of service, rendering the service unavailable. The vulnerability is classified under CWE-409 (Improper Resource Management) and has a CVSS v3.1 score of 7.5, indicating high severity. The attack vector is network-based with low complexity and no privileges or user interaction required. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability impacts availability exclusively, without affecting confidentiality or integrity.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability of AI-driven OCR services that utilize the Turms AI-Serving module. Organizations relying on automated document processing, identity verification, or other AI-based image analysis services could experience service outages, disrupting business operations and customer-facing services. Critical sectors such as finance, healthcare, government, and telecommunications that deploy OCR for document digitization or verification may face operational downtime. The ease of exploitation and lack of authentication requirements increase the risk of widespread denial of service attacks, potentially leading to reputational damage and financial losses. Additionally, if the affected services are part of larger automated workflows, the disruption could cascade, affecting broader IT infrastructure. Given the growing reliance on AI and machine learning services in Europe, this vulnerability could impact a wide range of industries and public services.
Mitigation Recommendations
To mitigate this vulnerability, organizations should implement strict validation of image dimensions and pixel counts before decompression to prevent resource exhaustion. Specifically, input images should be checked for maximum allowable width, height, and total pixel count, rejecting any images exceeding safe thresholds. Rate limiting and request throttling should be applied to the OCR service endpoints to reduce the risk of repeated exploitation. Access controls should be enforced to restrict public accessibility of the OCR service, ideally requiring authentication and authorization. Monitoring and alerting for abnormal memory usage or service crashes can help detect exploitation attempts early. If possible, update or patch the Turms AI-Serving module once a fix is released. As a temporary workaround, consider isolating the image processing component in a sandboxed environment with strict memory limits to contain potential crashes. Finally, conduct regular security assessments and code reviews focusing on resource management in image processing components.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2025-12-08T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 694563c4a90e3c9a153eb8fc
Added to database: 12/19/2025, 2:40:04 PM
Last enriched: 12/26/2025, 3:23:07 PM
Last updated: 2/6/2026, 1:39:12 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2055: Information Disclosure in D-Link DIR-605L
MediumCVE-2026-2054: Information Disclosure in D-Link DIR-605L
MediumCVE-2026-2018: SQL Injection in itsourcecode School Management System
MediumCVE-2026-2017: Stack-based Buffer Overflow in IP-COM W30AP
CriticalCVE-2026-1293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in yoast Yoast SEO – Advanced SEO with real-time guidance and built-in AI
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.