Cyber Resilience

CVE-2025-54874

MediumPublic PoC

Published: 05 August 2025

Published
05 August 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 55.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54874 is a medium-severity Use of Uninitialized Variable (CWE-457) vulnerability in Uclouvain Openjpeg. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54874 is a critical vulnerability in OpenJPEG, an open-source JPEG 2000 codec, affecting versions 2.5.1 through 2.5.3. The issue arises in the opj_jp2_read_header function, which can trigger an out-of-bounds (OOB) heap memory write when the input data stream (p_stream) is too short and the p_image structure is not properly initialized. This flaw, associated with CWE-457 (Use of Uninitialized Variable), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for severe impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a specially crafted JPEG 2000 image or data stream that meets the faulty conditions, an attacker could cause heap memory corruption, potentially leading to arbitrary code execution, data tampering, or denial-of-service crashes in applications processing untrusted JPEG 2000 files via OpenJPEG.

Mitigation involves updating to a patched version of OpenJPEG, as detailed in the upstream fix via commit f809b80c67717c152a5ad30bf06774f00da4fd2d and pull request #1573 on the uclouvain/openjpeg GitHub repository. Additionally, the GitHub Security Lab advisory GHSL-2025-057 highlights implications for OpenCV, which integrates OpenJPEG, urging users of affected OpenCV builds to apply corresponding updates or avoid processing untrusted inputs.

EU & UK References

Vulnerability details

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap out-of-bounds write vulnerability in OpenJPEG JPEG 2000 decoder enables arbitrary code execution via crafted images in client applications using the library (e.g., OpenCV), facilitating Exploitation for Client Execution.

CVEs Like This One

CVE-2026-6748Shared CWE-457
CVE-2025-53644Shared CWE-457
CVE-2026-6311Shared CWE-457
CVE-2026-6751Shared CWE-457
CVE-2026-9963Shared CWE-457
CVE-2026-9935Shared CWE-457
CVE-2026-1333Shared CWE-457
CVE-2026-10008Shared CWE-457
CVE-2025-47348Shared CWE-457
CVE-2026-9942Shared CWE-457

Affected Assets

uclouvain
openjpeg
≤ 2.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of identified flaws, directly addressing this vulnerability by mandating updates to patched OpenJPEG versions.

prevent

SI-16 enforces memory protection mechanisms like ASLR and DEP that prevent exploitation of heap memory corruption from OOB writes.

prevent

SI-10 mandates validation of inputs prior to processing, mitigating malformed JPEG 2000 streams that trigger the uninitialized variable and short data conditions.

References