5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-26623

GHSA ID

GHSA-38h4-fx85-qcx7

EPSS Score

0.36426%

CWE

CWE-416

Published

2/21/2025

Updated

2/21/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-26623

CVE-2025-26623: Exiv2 allows Use After Free

Impact

A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file.

Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as fixiso.

Patches

The bug is fixed in version v0.28.5.

References

Issue: https://github.com/Exiv2/exiv2/issues/3168 Fix: https://github.com/Exiv2/exiv2/pull/3174

For more information

Please see our security policy for information about Exiv2 security.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-26623

CVE-2025-26623:

5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-26623

GHSA ID

GHSA-38h4-fx85-qcx7

EPSS Score

0.36426%

CWE

CWE-416

Published

2/21/2025

Updated

2/21/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Exiv2	pip	>= 0.28.0, < 0.28.5	0.28.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The ASAN trace in GitHub issue #3168 shows a heap-use-after-free in TiffComponent::accept() at tiffcomposite_int.cpp:628. The fix in PR #3174 addresses ownership issues by reverting faulty copy constructors, indicating improper pointer management in TIFF component handling. The vulnerability manifests during metadata encoding via TiffParser::encode, which traverses components using visitors. TiffSubIfd's acceptance of visitors after being freed (due to missing ownership transfers) is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-26623: Exiv2 allows Use After Free

Impact

Patches

References

For more information

CVE-2025-26623:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.3

5.3

CVE-2025-26623: Exiv2 allows Use After Free

Impact

Patches

References

For more information

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI