Out-of-Bounds Write Vulnerability in DjVuLibre by DjVu Group
CVE-2025-53367

8.4HIGH

Key Information:

Vendor: Djvunet
Status: Djvulibre
Vendor: CVE Published:; 3 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-53367?

DjVuLibre, an implementation of the DjVu format for document distribution, is affected by an out-of-bounds write vulnerability prior to version 3.5.29. The issue arises within the MMRDecoder::scanruns method, where the library fails to validate the bounds of memory buffers. This oversight may lead to memory corruption and potentially allow attackers to exploit the vulnerability by executing arbitrary code or causing denial of service. Users are strongly advised to upgrade to version 3.5.29 or later, where this issue has been effectively addressed.

Affected Version(s)

DjVuLibre < 3.5.29

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-53367 - Proof of Concept

References

https://securitylab.github.com/advisories/GHSL-2025-055_D...

x_refsource_CONFIRM

https://github.blog/security/vulnerability-research/cve-2...

x_refsource_MISC

https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196...

x_refsource_MISC

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 3, 2025
👾
Exploit known to exist
Jul 3, 2025
Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Jun 27, 2025

Djvunet

Badges

What is CVE-2025-53367?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline