N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32024

CVE-2025-32024: bep/imagemeta allows excessively large EXIF data structures

Impact

The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks.

Patches

v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-32024

CVE-2025-32024:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/bep/imagemeta	go	< 0.10.0	0.10.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the lack of limits on the number and size of EXIF/IPTC tags and records that the library would attempt to process. The provided commit patch (4fd89616d8bf7f9bb892360d3fb19080ec2b4602) introduces mitigations by adding LimitNumTags and LimitTagSize options and enforcing these limits in specific functions.

The Decode function in imagemeta.go is the main entry point for parsing. It was modified to enforce LimitNumTags by wrapping the ShouldHandleTag callback. Before this, it would process all tags passed by ShouldHandleTag.
The metaDecoderEXIF.decodeTag function in metadecoder_exif.go is responsible for decoding EXIF tags. It was modified to check the tag's value length against LimitTagSize. Before this, it would attempt to process tags of any size.
The metaDecoderIPTC.decodeRecord function in metadecoder_iptc.go is responsible for decoding IPTC records. It was modified to check the record size against LimitTagSize. Before this, it would attempt to process records of any size. These three functions are directly involved in processing the potentially malicious input (image metadata) and were modified to add the necessary size and count checks, indicating they were the points where the vulnerability could be triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-32024: bep/imagemeta allows excessively large EXIF data structures

Impact

Patches

CVE-2025-32024:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-32024: bep/imagemeta allows excessively large EXIF data structures

Impact

Patches

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI