CVE-2025-2309
Published: 14 March 2025
Summary
CVE-2025-2309 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Hdfgroup Hdf5. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2309 is a critical heap-based buffer overflow vulnerability affecting HDF5 version 1.14.6, specifically in the H5T__bit_copy function of the Type Conversion Logic component. The issue, published on 2025-03-14, is linked to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-122 (Heap-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). Manipulation of the function triggers the overflow.
Local access is required for exploitation, targeting systems where an attacker has low privileges (PR:L). The attack has low complexity (AC:L) and needs no user interaction (UI:N), with a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). A successful exploit can lead to limited impacts on confidentiality, integrity, and availability, potentially allowing partial data exposure, modification, or denial of service.
Advisories from VulDB indicate the exploit has been publicly disclosed, including a proof-of-concept on GitHub at https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc3.md. The vendor plans to fix the issue in an upcoming release, but no patch is currently available. Practitioners should restrict local access, monitor for updates, and test applications using HDF5 1.14.6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7560
Vulnerability details
A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The…
more
exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in HDF5 type conversion enables arbitrary code execution via client application exploitation (T1203), potential privilege escalation (T1068), and application crashes for DoS (T1499.004) when processing malicious files locally.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap-based buffer overflow in HDF5 by requiring timely flaw remediation through vendor patches.
Implements memory protection mechanisms like ASLR and DEP that thwart exploitation of heap buffer overflows in functions like H5T__bit_copy.
Enforces least privilege to restrict local low-privilege access required for exploiting the vulnerability, limiting the attack surface.