Out-of-Bounds Memory Write in OpenJPEG JPEG 2000 Codec by UCLouvain
CVE-2025-54874

6.6MEDIUM

Key Information:

Vendor

Uclouvain

Status
Openjpeg
Vendor
CVE Published:
5 August 2025

What is CVE-2025-54874?

The OpenJPEG library, a widely used open-source JPEG 2000 codec, contains a vulnerability that allows an out-of-bounds heap memory write. This issue arises when the function opj_jp2_read_header is called with a data stream that is shorter than expected while the image data structure is not properly initialized. If exploited, this vulnerability could potentially lead to arbitrary code execution or other unpredictable behaviors, making it essential for users of affected versions to apply the necessary patches and updates.

Affected Version(s)

openjpeg >= 2.5.1, <= 2.5.3

References

https://github.com/uclouvain/openjpeg/commit/f809b80c6771...
x_refsource_CONFIRM
https://github.com/uclouvain/openjpeg/pull/1573
x_refsource_MISC
https://securitylab.github.com/advisories/GHSL-2025-057_O...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.