5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-25112

GHSA ID

GHSA-crmj-qh74-2r36

EPSS Score

0.02102%

CWE

CWE-400

Published

10/17/2024

Updated

10/23/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-25112

CVE-2024-25112:
Exiv2 has a denial of service due to unbounded recursion in QuickTimeVideo::multipleEntriesDecoder

Impact

A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function, QuickTimeVideo::multipleEntriesDecoder, was new in v0.28.0 (see https://github.com/Exiv2/exiv2/pull/2337), so Exiv2 versions before v0.28 are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted video file.

Patches

The bug is fixed in version v0.28.2.

For more information

Please see our security policy for information about Exiv2 security.

Credit

This bug was found by OSS-Fuzz.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-25112

GHSA ID

GHSA-crmj-qh74-2r36

EPSS Score

0.02102%

CWE

CWE-400

Published

10/17/2024

Updated

10/23/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
exiv2	pip	>= 0.16.0, < 0.16.1	0.16.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

All vulnerability descriptions explicitly name QuickTimeVideo::multipleEntriesDecoder as the vulnerable function
The GitHub commit diff shows this function was introduced in quicktimevideo.cpp via PR #2337
The CWE-674 (Uncontrolled Recursion) classification directly maps to recursive function calls without proper termination conditions
The vulnerability manifests when processing malicious video files, which aligns with this decoder function's purpose
Version timeline matches - introduced in v0.28.0 and patched in v0.28.2

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * **ni*l-o*-s*rvi** w*s *oun* in *xiv* v*rsion v*.**.*: *n un*oun*** r**ursion **n **us* *xiv* to *r*s* *y *x**ustin* t** st**k. T** vuln*r**l* *un*tion, `Qui*kTim*Vi**o::multipl**ntri*s***o**r`, w*s n*w in v*.**.* (s** *ttps://*it*u*.*om/

Reasoning

*. *ll vuln*r**ility **s*riptions *xpli*itly n*m* Qui*kTim*Vi**o::multipl**ntri*s***o**r *s t** vuln*r**l* *un*tion *. T** *it*u* *ommit *i** s*ows t*is *un*tion w*s intro*u*** in qui*ktim*vi**o.*pp vi* PR #**** *. T** *W*-*** (Un*ontroll** R**ursion

5.5

Basic Information

Concerned about an active attack path?

CVE-2024-25112: Exiv2 has a denial of service due to unbounded recursion in QuickTimeVideo::multipleEntriesDecoder

Impact

Patches

For more information

Credit

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-25112:
Exiv2 has a denial of service due to unbounded recursion in QuickTimeVideo::multipleEntriesDecoder

Vulnerability Intelligence
Miggo AI