CVE-2025-34124
Published: 16 July 2025
Summary
CVE-2025-34124 is a high-severity Improper Input Validation (CWE-20) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0. The flaw resides in object sprite name parsing logic within .h3m map files and is triggered during in-game map loading. It is tracked as CVE-2025-34124 with a CVSS 4.0 score of 8.4 and is associated with CWE-20, CWE-94, and CWE-121.
An unauthenticated attacker can exploit the issue by supplying a crafted map file that the victim opens inside the game. Successful exploitation can result in arbitrary code execution on the target system under the privileges of the game process.
Public references include a Metasploit module, an Exploit-DB entry, and a VulnCheck advisory that document the map-file buffer overflow and provide exploit code, though no official vendor patch details are supplied in the available references.
The associated EPSS score stands at 0.2696 with no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21747
Vulnerability details
A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0 via malicious .h3m map files that exploit object sprite name parsing logic. The vulnerability occurs during in-game map…
more
loading when a crafted object name causes a buffer overflow, potentially allowing arbitrary code execution. Exploitation requires the victim to open a malicious map file within the game.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly implements checks on information inputs to reject invalid data before processing.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Directly prevents execution of attacker-supplied code written into data memory regions.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.