CVE-2025-32024: bep/imagemeta allows excessively large EXIF data structures

6.9 CVSS

Description

bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

Classification

CVE ID: CVE-2025-32024

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: bep

Product: imagemeta

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.35% (scored less or equal to compared to others)

EPSS Date: 2025-04-21 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32024
https://github.com/bep/imagemeta/security/advisories/GHSA-q7rw-w4cq-2j6w
https://github.com/bep/imagemeta/commit/4fd89616d8bf7f9bb892360d3fb19080ec2b4602

Timeline

2025-04-08 16:40:22 UTC
CVE

bep/imagemeta allows excessively large EXIF data structures
2025-04-09 13:15:35 UTC
Github Advisory Database (Go)

[github.com/bep/imagemeta] bep/imagemeta allows excessively large EXIF data structures