Cyber Resilience

CVE-2019-25560

HighPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25560 is a high-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Lyricvideocreator Lyric Video Creator. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25560 is a denial-of-service vulnerability affecting Lyric Video Creator version 2.1. The issue stems from the application's failure to properly handle malformed MP3 files containing an oversized buffer. When a user processes such a crafted file via the Browse song functionality, the application crashes, leading to a denial of service.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low attack complexity, no privileges or user interaction required, and high impact on availability but none on confidentiality or integrity. Attackers can craft a malicious MP3 file and deliver it to a target system, achieving application crash upon file opening through the affected functionality. It is linked to CWE-226.

Advisories and related resources include a VulnCheck advisory on the denial-of-service via MP3 file, an Exploit-DB entry (46816) with a proof-of-concept, and links to the vendor site (lyricvideocreator.com) and direct download for Lyric Video Creator. No specific patch or mitigation details are provided in the available information.

EU & UK References

Vulnerability details

Lyric Video Creator 2.1 contains a denial of service vulnerability that allows attackers to crash the application by processing malformed MP3 files. Attackers can create a crafted MP3 file with an oversized buffer and trigger the crash by opening the…

more

file through the Browse song functionality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed MP3 file triggers application crash via oversized buffer, enabling direct exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0647Shared CWE-226
CVE-2025-13108Shared CWE-226
CVE-2026-5795Shared CWE-226

Affected Assets

lyricvideocreator
lyric video creator
2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates MP3 file inputs to reject malformed files with oversized buffers, directly preventing the application crash exploited by this CVE.

prevent

Ensures robust error handling during MP3 parsing to avoid denial-of-service crashes from malformed inputs as seen in this vulnerability.

prevent

Implements denial-of-service protections that limit the impact of application crashes triggered by crafted MP3 files via the Browse song functionality.

References