GHSA-m54q-mm9w-fp6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-m54q-mm9w-fp6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-m54q-mm9w-fp6g/GHSA-m54q-mm9w-fp6g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m54q-mm9w-fp6g
Aliases
Published
2025-08-29T14:59:37Z
Modified
2025-08-29T21:37:15.649530Z
Severity
  • 1.8 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata
Details

Impact

A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file.

Patches

The bug is fixed in version v0.28.6.

References

Issue: https://github.com/Exiv2/exiv2/issues/3333 Fixes: https://github.com/Exiv2/exiv2/pull/3335 (main branch), https://github.com/Exiv2/exiv2/pull/3345 (0.28.x branch)

For more information

Please see our security policy for information about Exiv2 security.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-29T14:59:37Z",
    "nvd_published_at": "2025-08-29T15:15:35Z",
    "cwe_ids": [
        "CWE-407"
    ],
    "severity": "LOW"
}
References

Affected packages

PyPI / exiv2

Package

Name
exiv2
View open source insights on deps.dev
Purl
pkg:pypi/exiv2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.17.3

Affected versions

0.*

0.1
0.2
0.3
0.3.1
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.14.0
0.14.1
0.15.0
0.16.0
0.16.1
0.16.2
0.16.2.post1
0.16.3
0.16.3.post1
0.17.0
0.17.1
0.17.2
0.17.3