CVE-2025-53644
Published: 17 July 2025
Summary
CVE-2025-53644 is a critical-severity Use of Uninitialized Variable (CWE-457) vulnerability in Opencv Opencv. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Computer Vision; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the uninitialized pointer flaw in OpenCV versions 4.10.0 and 4.11.0 by upgrading to 4.12.0.
Implements memory protections such as non-executable heap memory and address space randomization to block arbitrary heap buffer writes from the uninitialized stack pointer.
Enforces validation of JPEG image inputs to reject crafted files that could trigger the uninitialized pointer dereference in OpenCV.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in OpenCV JPEG2000 decoder allows arbitrary heap buffer write via crafted images, enabling code execution in client applications processing untrusted images (T1203: Exploitation for Client Execution).
NVD Description
OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG images. Version 4.12.0 fixes the vulnerability.
Deeper analysisAI
CVE-2025-53644 affects OpenCV, an open-source computer vision library, specifically versions 4.10.0 and 4.11.0. The vulnerability stems from an uninitialized pointer variable on the stack, which can lead to an arbitrary heap buffer write when processing crafted JPEG images. This issue is classified under CWE-457 (Use of Uninitialized Variable) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability consequences.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Any unauthenticated remote actor could supply a maliciously crafted JPEG image to an application using the affected OpenCV versions for image decoding, triggering the uninitialized pointer dereference and enabling arbitrary heap buffer writes. Successful exploitation could allow attackers to overwrite heap memory, potentially leading to remote code execution, data corruption, or denial of service, depending on the application's context and privileges.
Mitigation is available through upgrading to OpenCV version 4.12.0, which addresses the issue via a specific commit (a39db41390de546d18962ee1278bd6dbb715f466). Official advisories, including GitHub Security Lab's GHSL-2025-057 and the related issue tracker (#27271), confirm the fix in the 4.12.0 release and recommend immediate patching for affected deployments.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- OpenCV is explicitly described as an Open Source Computer Vision Library, and the vulnerability occurs in its image decoding functionality (imdecode for JPEG2000 images), which is core to computer vision tasks in AI pipelines.