CVE-2025-8837

A vulnerability was identified in JasPer up to 4.2.5. This affects the function jpcdecdump of the file src/libjasper/jpc/jpc_dec.c of the component JPEG2000 File Handler. The manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named 8308060d3fbc1da10353ac8a95c8ea60eba9c25a. It is recommended to apply a patch to fix this issue.

References

Affected packages

Git / github.com/jasper-software/jasper

Affected ranges

Type: GIT
Repo: https://github.com/jasper-software/jasper
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8308060d3fbc1da10353ac8a95c8ea60eba9c25a

Type

GIT

Repo

https://github.com/mdadams/jasper

Events

Introduced

Last affected

849888f0a6e76bb440581d5f8c0a947a39e92aa2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.5"
        }
    ]
}

Affected versions

Other

manual-version-mdadams-20220109-2039

manual-version-mdadams-20221103-1902

mdadams-clang-issue

version-1.*

version-1.900.1

version-1.900.10

version-1.900.11

version-1.900.12

version-1.900.13

version-1.900.14

version-1.900.15

version-1.900.16

version-1.900.17

version-1.900.18

version-1.900.19

version-1.900.2

version-1.900.20

version-1.900.21

version-1.900.22

version-1.900.23

version-1.900.24

version-1.900.25

version-1.900.26

version-1.900.27

version-1.900.28

version-1.900.29

version-1.900.3

version-1.900.30

version-1.900.31

version-1.900.4

version-1.900.5

version-1.900.6

version-1.900.7

version-1.900.8

version-1.900.9

version-2.*

version-2.0.0

version-2.0.0-beta.1

version-2.0.0-beta.2

version-2.0.1

version-2.0.10

version-2.0.11

version-2.0.12

version-2.0.13

version-2.0.14

version-2.0.15

version-2.0.16

version-2.0.19

version-2.0.2

version-2.0.20

version-2.0.21

version-2.0.21-rc1

version-2.0.22

version-2.0.22-rc1

version-2.0.23

version-2.0.24

version-2.0.25

version-2.0.26

version-2.0.27

version-2.0.28

version-2.0.29

version-2.0.3

version-2.0.31

version-2.0.32

version-2.0.33

version-2.0.4

version-2.0.5

version-2.0.6

version-2.0.7

version-2.0.8

version-2.0.9

version-3.*

version-3.0.0

version-3.0.0-rc1

version-3.0.0-rc2

version-3.0.1

version-3.0.2

version-3.0.3

version-3.0.4

version-3.0.5

version-3.0.6

version-4.*

version-4.0.0

version-4.0.0-rc1

version-4.0.1

version-4.0.1-rc1

version-4.1.0

version-4.1.0-rc1

version-4.1.0-rc2

version-4.1.1

version-4.1.1-rc1

version-4.1.2

version-4.2.0

version-4.2.0-rc1

version-4.2.1

version-4.2.2

version-4.2.3

version-4.2.4

version-4.2.5

version-4.2.6

version-4.2.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8837.json"

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/jasper-software/jasper/commit/8308060d3fbc1da10353ac8a95c8ea60eba9c25a",
        "target": {
            "function": "jpc_dec_dump",
            "file": "src/libjasper/jpc/jpc_dec.c"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "163757978096911571915020519653841478415",
            "length": 2589.0
        },
        "signature_type": "Function",
        "id": "CVE-2025-8837-1701e935"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/jasper-software/jasper/commit/8308060d3fbc1da10353ac8a95c8ea60eba9c25a",
        "target": {
            "function": "jpc_dec_tilefini",
            "file": "src/libjasper/jpc/jpc_dec.c"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "316489031953562971361747541419822227216",
            "length": 1859.0
        },
        "signature_type": "Function",
        "id": "CVE-2025-8837-4428ebc5"
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/jasper-software/jasper/commit/8308060d3fbc1da10353ac8a95c8ea60eba9c25a",
        "target": {
            "file": "src/libjasper/jpc/jpc_dec.c"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264930601948072186054905893514555988777",
                "173093703108513699568358199349627871130",
                "156177065946872411093907114362151153754",
                "148493993793190185757727118274762302413",
                "223125194302768608298484101137858161299",
                "203595590310114776625660052718038606564",
                "61615748847560144451914775997605362981",
                "14534258138738386521491080464939301977",
                "268645922206862509048548582730573918287",
                "339911697961718171002789500001741908118",
                "173696686715943484239853468827661014864",
                "40269451705061876317600298217372232107",
                "267472455545449748132108919035156725582",
                "33970352916323339166088017194193342739",
                "117783114085249264782024023447860718627",
                "284214259109684050744122444220403985818",
                "23021628804431381723381094468829766890",
                "276222830939299533201657305085731665371",
                "88268878788184241808242969004383430680"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-8837-9b5e7ea9"
    }
]

vanir_signatures_modified

"2026-04-12T22:06:19Z"