#VU112448 Out-of-bounds write in DjVuLibre - CVE-2025-53367
Published: July 7, 2025
Vulnerability identifier: #VU112448
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-53367
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
DjVuLibre
DjVuLibre
Software vendor:
DjVu
DjVu
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the MMRDecoder::scanruns method. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install updates from vendor's website.
External links
- https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre
- https://securitylab.github.com/advisories/GHSL-2025-055_DjVuLibre/
- https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da
- https://www.openwall.com/lists/oss-security/2025/07/03/1