CVE-2025-15506

Description

A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

AcademySoftwareFoundation OpenColorIO <= 2.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <OpenColorIO/OpenColorIO.h>
namespace OCIO = OCIO_NAMESPACE;

int main() {
    try {
        OCIO::ConstConfigRcPtr config = OCIO::Config::Create();
        
        // Create a FileRules object with malformed regex pattern
        OCIO::FileRulesRcPtr fileRules = OCIO::FileRules::Create();
        
        // Attempt to set a file rule with potentially malicious pattern
        // that could trigger out-of-bounds read in ConvertToRegularExpression
        fileRules->setSearchablePathFromRootRule("pattern_with_special_chars_that_trigger_oob");
        
        // Try to get the rule - this may trigger ConvertToRegularExpression
        OCIO::ConstFileRuleRcPtr rule = fileRules->getSearchablePathFromRootRule();
        
        return 0;
    } catch (OCIO::Exception &e) {
        fprintf(stderr, "Error: %s\n", e.what());
        return 1;
    }
}

// Note: This PoC demonstrates the vulnerable code path.
// The actual trigger requires specific input to ConvertToRegularExpression
// in FileRules.cpp that causes out-of-bounds memory access.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15506
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15506
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15506/
[4] VulDB https://vuldb.com/cve/CVE-2025-15506
[5] https://github.com/AcademySoftwareFoundation/OpenColorIO/
[6] https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228
[7] https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11
[8] https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231
[9] https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d
[10] https://github.com/oneafter/1225/blob/main/uaf
[11] https://vuldb.com/?ctiid.340444
[12] https://vuldb.com/?id.340444
[13] https://vuldb.com/?submit.733332

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15506", "sourceIdentifier": "[email protected]", "published": "2026-01-11T11:15:49.113", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en AcademySoftwareFoundation OpenColorIO hasta la versión 2.5.0. Este problema afecta a la función ConvertToRegularExpression del archivo src/OpenColorIO/FileRules.cpp. Realizar una manipulación resulta en una lectura fuera de límites. El ataque necesita ser abordado localmente. El exploit ha sido hecho público y podría ser usado. El parche se llama ebdbb75123c9d5f4643e041314e2bc988a13f20d. Para solucionar este problema, se recomienda desplegar un parche. La solución fue añadida al hito 2.5.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/OpenColorIO/", "source": "[email protected]"}, {"url": "https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228", "source": "[email protected]"}, {"url": "https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11", "source": "[email protected]"}, {"url": "https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231", "source": "[email protected]"}, {"url": "https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d", "source": "[email protected]"}, {"url": "https://github.com/oneafter/1225/blob/main/uaf", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.340444", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.340444", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.733332", "source": "[email protected]"}]}}