CVE-2025-2308
Published: 14 March 2025
Summary
CVE-2025-2308 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Hdfgroup Hdf5. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2308 is a heap-based buffer overflow vulnerability classified as critical in HDF5 version 1.14.6. It affects the H5Z__scaleoffset_decompress_one_byte function within the Scale-Offset Filter component. The issue stems from improper memory handling, mapped to CWEs-119, CWE-122, and CWE-787.
Exploitation requires local access (AV:L) with low privileges (PR:L) and low attack complexity (AC:L), needing no user interaction (UI:N) and resulting in unchanged scope (S:U). Attackers can achieve limited impacts on confidentiality, integrity, and availability (C:I:A:L/L/L), as scored at CVSS 5.3 under CVSS:3.1. A proof-of-concept exploit has been publicly disclosed.
Advisories from VulDB indicate the vendor plans to fix this in an upcoming release, with no patch available yet for version 1.14.6. Relevant details and the exploit POC are available at references including GitHub (madao123123/crash_report) and VulDB entries (ctiid.299721, id.299721, submit.514531). The vulnerability was published on 2025-03-14.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7559
Vulnerability details
A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been…
more
disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in HDF5 library's Scale-Offset Filter enables local exploitation for arbitrary code execution, facilitating privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap-based buffer overflow in HDF5 1.14.6 by requiring timely flaw remediation through vendor patches once available.
Implements memory protection mechanisms such as ASLR, DEP, and stack canaries to prevent exploitation of the heap buffer overflow in the Scale-Offset Filter.
Requires validation of inputs to the H5Z__scaleoffset_decompress_one_byte function to block malformed HDF5 data that triggers the buffer overflow.