CVE-2025-32024

bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

CVSS

No CVSS.

References

Link	Resource
https://github.com/bep/imagemeta/commit/4fd89616d8bf7f9bb892360d3fb19080ec2b4602
https://github.com/bep/imagemeta/security/advisories/GHSA-q7rw-w4cq-2j6w

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) bep/imagemeta es una librería de Go para leer metadatos de imágenes EXIF, IPTC y XMP de archivos JPEG, TIFF, PNG y WebP. El formato de datos EXIF permite definir estructuras de datos excesivamente grandes en payloads relativamente pequeños. Antes de la versión v0.10.0, si no se confiaba en las imágenes de entrada, esto podía utilizarse para crear ataques de denegación de servicio. La versión v0.10.0 añadió las opciones LimitNumTags (5000 por defecto) y LimitTagSize (10000 por defecto).

08 Apr 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 16:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-32024

Mitre link : CVE-2025-32024

CVE.ORG link : CVE-2025-32024

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-32024", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-08T16:15:27.703", "references": [{"url": "https://github.com/bep/imagemeta/commit/4fd89616d8bf7f9bb892360d3fb19080ec2b4602", "source": "security-advisories@github.com"}, {"url": "https://github.com/bep/imagemeta/security/advisories/GHSA-q7rw-w4cq-2j6w", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options."}, {"lang": "es", "value": "bep/imagemeta es una librer\u00eda de Go para leer metadatos de im\u00e1genes EXIF, IPTC y XMP de archivos JPEG, TIFF, PNG y WebP. El formato de datos EXIF permite definir estructuras de datos excesivamente grandes en payloads relativamente peque\u00f1os. Antes de la versi\u00f3n v0.10.0, si no se confiaba en las im\u00e1genes de entrada, esto pod\u00eda utilizarse para crear ataques de denegaci\u00f3n de servicio. La versi\u00f3n v0.10.0 a\u00f1adi\u00f3 las opciones LimitNumTags (5000 por defecto) y LimitTagSize (10000 por defecto)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security-advisories@github.com"}