Out-of-bounds Write Vulnerability in mruby 3.4.0 by mruby
CVE-2025-12875

4.8MEDIUM

Key Information:

Vendor

mruby

Status
Mruby
Vendor
CVE Published:
7 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-12875?

A vulnerability has been detected in mruby 3.4.0 related to the ary_fill_exec function within the array.c file. The flaw arises from improper handling of the argument values 'start' and 'length' which may permit an out-of-bounds write. This issue can be exploited locally, potentially compromising the integrity of affected systems. An exploit is publicly available, and it is advisable for users to implement the patch identified as 93619f06dd378db6766666b30c08978311c7ec94 to mitigate this risk.

Affected Version(s)

mruby 3.4.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-12875 - Proof of Concept

References

https://vuldb.com/?id.331511
vdb-entrytechnical-description
https://vuldb.com/?ctiid.331511
signaturepermissions-required
https://vuldb.com/?submit.680879
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

tjbecker (VulDB User)
JSON
.
CVE-2025-12875 : Out-of-bounds Write Vulnerability in mruby 3.4.0 by mruby