CVE-2025-54489
Published: 25 August 2025
Summary
CVE-2025-54489 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Libbiosig Project Libbiosig. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like this buffer overflow CVE through patching libbiosig.
SI-10 mandates validation of information inputs such as the MFER file's len2 value to ensure it does not exceed the 128-byte buffer size.
SI-16 enforces memory protections like stack canaries and ASLR to prevent exploitation of the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote stack buffer overflow in network-reachable file parser enabling unauthenticated arbitrary code execution (T1190).
NVD Description
A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to…
more
trigger this vulnerability.This vulnerability manifests on line 8970 of biosig.c on the current master branch (35a819fa), when the Tag is 63: else if (tag==63) { uint8_t tag2=255, len2=255; count = 0; while ((count<len) && !(FlagInfiniteLength && len2==0 && tag2==0)){ curPos += ifread(&tag2,1,1,hdr); curPos += ifread(&len2,1,1,hdr); if (VERBOSE_LEVEL==9) fprintf(stdout,"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i curPos=%i %li count=%4i\n",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count); if (FlagInfiniteLength && len2==0 && tag2==0) break; count += (2+len2); curPos += ifread(&buf,1,len2,hdr); Here, the number of bytes read is not the Data Length decoded from the current frame in the file (`len`) but rather is a new length contained in a single octet read from the same input file (`len2`). Despite this, a stack-based buffer overflow condition can still occur, as the destination buffer is still `buf`, which has a size of only 128 bytes, while `len2` can be as large as 255.
Deeper analysisAI
A stack-based buffer overflow vulnerability, designated CVE-2025-54489 and tracked under CWE-121, affects the MFER parsing functionality in The Biosig Project's libbiosig version 3.9.0 and the master branch at commit 35a819fa. The issue occurs in biosig.c at line 8970 during processing of tag 63, where the code reads a single-octet length value (len2, which can reach 255) and copies that many bytes into a fixed 128-byte stack buffer named buf. A specially crafted MFER file can trigger this overflow, potentially leading to arbitrary code execution.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over a network with low complexity, no privileges or user interaction required. An attacker who can supply a malicious MFER file to an application or system using the affected libbiosig version can trigger the buffer overflow, achieving arbitrary code execution in the context of the parsing process.
Details on mitigation and patches are available in the advisories published by Talos Intelligence at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234 and https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2234. The CVE was published on 2025-08-25.
Details
- CWE(s)