Primary

Context

Exiv2 Denial-of-Service Vulnerability in ICC Profile Parsing

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Exiv2 version 0.28.5. The issue arises from a quadratic algorithm in the ICC profile parsing code within the 'jpegBase::readMetadata()' function. This vulnerability can cause Exiv2 to consume excessive CPU or memory resources, leading to a prolonged processing time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a specially crafted JPEG image file.

Impact

Exiv2 can experience significant performance degradation, causing it to run for an extended period, especially when processing large or specially crafted JPEG files.

Reproduction

The vulnerability can be reproduced by using Exiv2 version 0.28.5 to read the metadata of a crafted JPEG image file that exploits the ICC profile parsing algorithm. This can be done using the Exiv2 command-line utility or by integrating the Exiv2 library into a C++ application.

Remediation

Users can upgrade to Exiv2 version 0.28.6, where this vulnerability has been fixed.

Added: Aug 29, 2025, 3:21 PM

Updated: Aug 29, 2025, 4:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Exiv2 Denial-of-Service Vulnerability in ICC Profile Parsing

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Exiv2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating