Cyber Resilience

CVE-2025-29487

HighPublic PoCDDoS

Published: 27 March 2025

Published
27 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0047 65.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29487 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Libming Libming. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-29487, published on 2025-03-27, is an out-of-memory error in the parseABC_STRING_INFO function of libming version 0.4.8. This flaw enables attackers to trigger a Denial of Service (DoS) condition through allocator exhaustion, as classified under CWE-400 (Uncontrolled Resource Consumption). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability disruption.

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or special scoping changes. Exploitation involves crafting malicious input that causes excessive memory allocation during parsing, leading to process crashes or resource exhaustion and denying service to legitimate users of affected libming-dependent applications.

Advisories and related resources include a GitHub issue tracking the problem at https://github.com/libming/libming/issues/330 and a proof-of-concept repository at https://github.com/goodmow/PoC/blob/main/libming/libming-fuzz6.readme, which may provide further details on reproduction and potential fixes. No specific patches or mitigations are outlined in the core CVE description.

EU & UK References

Vulnerability details

An out-of-memory error in the parseABC_STRING_INFO function of libming v0.4.8 allows attackers to cause a Denial of Service (DoS) due to allocator exhaustion.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-memory error and memory leaks in libming during SWF parsing enable denial of service via resource exhaustion, specifically through exploitation of the application.

CVEs Like This One

CVE-2025-29484Same product: Libming Libming
CVE-2025-26304Same product: Libming Libming
CVE-2025-26305Same product: Libming Libming
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400

Affected Assets

libming
libming
0.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of flaws like the out-of-memory error in libming's parseABC_STRING_INFO directly prevents DoS exploitation by patching or removing the vulnerable component.

prevent

Validating inputs to the libming parser prevents malicious ABC_STRING_INFO data from triggering excessive memory allocation and allocator exhaustion.

prevent

Denial-of-service protections at system entry points mitigate remote network exploitation leading to process crashes from resource exhaustion in libming.

References