CVE-2019-25560

HighPublic PoC

Published: 21 March 2026

Published

21 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0008 22.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25560 is a high-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Lyricvideocreator Lyric Video Creator. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates MP3 file inputs to reject malformed files with oversized buffers, directly preventing the application crash exploited by this CVE.

SI-11 Error Handling good match

prevent

Ensures robust error handling during MP3 parsing to avoid denial-of-service crashes from malformed inputs as seen in this vulnerability.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections that limit the impact of application crashes triggered by crafted MP3 files via the Browse song functionality.

NVD Description

Lyric Video Creator 2.1 contains a denial of service vulnerability that allows attackers to crash the application by processing malformed MP3 files. Attackers can create a crafted MP3 file with an oversized buffer and trigger the crash by opening the…

file through the Browse song functionality.

Deeper analysisAI

CVE-2019-25560 is a denial-of-service vulnerability affecting Lyric Video Creator version 2.1. The issue stems from the application's failure to properly handle malformed MP3 files containing an oversized buffer. When a user processes such a crafted file via the Browse song functionality, the application crashes, leading to a denial of service.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low attack complexity, no privileges or user interaction required, and high impact on availability but none on confidentiality or integrity. Attackers can craft a malicious MP3 file and deliver it to a target system, achieving application crash upon file opening through the affected functionality. It is linked to CWE-226.

Advisories and related resources include a VulnCheck advisory on the denial-of-service via MP3 file, an Exploit-DB entry (46816) with a proof-of-concept, and links to the vendor site (lyricvideocreator.com) and direct download for Lyric Video Creator. No specific patch or mitigation details are provided in the available information.

Details

CWE(s): CWE-226

Affected Products

lyricvideocreator

lyric video creator

2.1

CVEs Like This One

CVE-2025-0647Shared CWE-226

CVE-2025-13108Shared CWE-226

CVE-2026-5795Shared CWE-226

References

https://lyricvideocreator.com/
Product · disclosure@vulncheck.com
https://lyricvideocreator.com/dwl/LyricVideoCreator.exe
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46816
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/lyric-video-creator-denial-of-service-via-mp3-file
Third Party Advisory · disclosure@vulncheck.com