CVE-2025-54487
Published: 25 August 2025
Summary
CVE-2025-54487 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Libbiosig Project Libbiosig. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs like the 'len' field in MFER tag 12 parsing to prevent buffer overflows from malformed files.
SI-16 enforces memory protections such as ASLR and DEP that mitigate stack-based buffer overflow exploitation leading to arbitrary code execution.
SI-2 mandates identification, reporting, and correction of flaws like the buffer overflow in libbiosig's MFER parsing functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in libbiosig MFER parser enables unauthenticated remote arbitrary code execution via crafted file input (CWE-121), directly facilitating T1190 (public-facing app exploitation) and T1203 (client-side exploitation for code exec).
NVD Description
A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to…
more
trigger this vulnerability.This vulnerability manifests on line 8842 of biosig.c on the current master branch (35a819fa), when the Tag is 12: else if (tag==12) //0x0C { // sampling resolution if (len>6) fprintf(stderr,"Warning MFER tag12 incorrect length %i>6\n",len); val32 = 0; int8_t v8; curPos += ifread(&UnitCode,1,1,hdr); curPos += ifread(&v8,1,1,hdr); curPos += ifread(buf,1,len-2,hdr); In addition to values of `len` greater than 130 triggering a buffer overflow, a value of `len` smaller than 2 will also trigger a buffer overflow due to an integer underflow when computing `len-2` in this code path.
Deeper analysisAI
A stack-based buffer overflow vulnerability, tracked as CVE-2025-54487, affects the MFER parsing functionality in The Biosig Project's libbiosig version 3.9.0 and the master branch at commit 35a819fa. The issue, classified under CWE-121, is present in biosig.c at line 8842 during processing of tag 12, where values of len greater than 130 or smaller than 2 trigger the overflow—either directly or via integer underflow in the len-2 computation when reading into a fixed-size buffer. A specially crafted MFER file can exploit this to enable arbitrary code execution.
Attackers require no privileges or user interaction and can exploit remotely with low complexity, as reflected in the CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Any unauthenticated remote actor capable of supplying a malicious MFER file to an application or system using the vulnerable libbiosig can trigger the overflow, achieving arbitrary code execution with high impacts to confidentiality, integrity, and availability.
Mitigation guidance is available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234.
Details
- CWE(s)