CVE-2025-48074
MEDIUMOpenEXR 3.3.2 - Allocation of Resources Without Limits via Unvalidated DataWindow Size
Title source: llmDescription
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf
Exploit x_refsource_misc
https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074
Scores
CVSS v3
5.5
EPSS
0.0024
EPSS Percentile
15.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
openexr/openexr
3.3.2
pypi/OpenEXR
3.3.2 - 3.3.3PyPI
Published
Aug 01, 2025
Tracked Since
Feb 18, 2026