CVE-2025-32024 MEDIUM

CVE-2025-32024: bep/imagemeta allows excessively large EXIF data structures

Vendor Bep
Product imagemeta
Weakness CWE-770 · Uncontrolled resource consumption
Published April 8, 2025
Last update April 8, 2025

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

Key dates

02Disclosure timeline

April 8, 2025 CVE published
April 8, 2025 Record updated

Related vulnerabilities

04Related CVE