CVE-2025-54874
Published: 05 August 2025
Summary
CVE-2025-54874 is a critical-severity Use of Uninitialized Variable (CWE-457) vulnerability in Uclouvain Openjpeg. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of identified flaws, directly addressing this vulnerability by mandating updates to patched OpenJPEG versions.
SI-16 enforces memory protection mechanisms like ASLR and DEP that prevent exploitation of heap memory corruption from OOB writes.
SI-10 mandates validation of inputs prior to processing, mitigating malformed JPEG 2000 streams that trigger the uninitialized variable and short data conditions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap out-of-bounds write vulnerability in OpenJPEG JPEG 2000 decoder enables arbitrary code execution via crafted images in client applications using the library (e.g., OpenCV), facilitating Exploitation for Client Execution.
NVD Description
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.
Deeper analysisAI
CVE-2025-54874 is a critical vulnerability in OpenJPEG, an open-source JPEG 2000 codec, affecting versions 2.5.1 through 2.5.3. The issue arises in the opj_jp2_read_header function, which can trigger an out-of-bounds (OOB) heap memory write when the input data stream (p_stream) is too short and the p_image structure is not properly initialized. This flaw, associated with CWE-457 (Use of Uninitialized Variable), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for severe impacts across confidentiality, integrity, and availability.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a specially crafted JPEG 2000 image or data stream that meets the faulty conditions, an attacker could cause heap memory corruption, potentially leading to arbitrary code execution, data tampering, or denial-of-service crashes in applications processing untrusted JPEG 2000 files via OpenJPEG.
Mitigation involves updating to a patched version of OpenJPEG, as detailed in the upstream fix via commit f809b80c67717c152a5ad30bf06774f00da4fd2d and pull request #1573 on the uclouvain/openjpeg GitHub repository. Additionally, the GitHub Security Lab advisory GHSL-2025-057 highlights implications for OpenCV, which integrates OpenJPEG, urging users of affected OpenCV builds to apply corresponding updates or avoid processing untrusted inputs.
Details
- CWE(s)