CVE-2025-55304

Impact

A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file.

Patches

The bug is fixed in version v0.28.6.

References

Issue: https://github.com/Exiv2/exiv2/issues/3333 Fixes: https://github.com/Exiv2/exiv2/pull/3335 (main branch), https://github.com/Exiv2/exiv2/pull/3345 (0.28.x branch)

For more information

Please see our security policy for information about Exiv2 security.

Published: Aug 29, 2025
Updated: Aug 30, 2025
CVE: CVE-2025-55304
GHSA: GHSA-m54q-mm9w-fp6g
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-407

Affected Software
References

Software	From	Fixed in
Exiv2	-	0.17.3.x

https://github.com/Exiv2/exiv2/issues/3333
https://github.com/Exiv2/exiv2/pull/3335
https://github.com/Exiv2/exiv2/pull/3345
https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g

Vulnerability Database

CVE-2025-55304

Impact

Patches

References

For more information