CVE-2025-54874

CRITICAL

OpenJPEG <2.5.4 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-54874. PoCs published by cyhe50.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2025-54874, demonstrating a memory leak in OpenJPEG 2.5.1 due to improper error handling in `opj_jp2_read_header`. The PoC includes a crafted JP2 file and a C program to trigger the leak, validated with Valgrind output.

Description

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

Exploits (1)

github WORKING POC
by cyhe50 · cpoc
https://github.com/cyhe50/cve-2025-54874-poc

This repository contains a functional PoC for CVE-2025-54874, demonstrating a memory leak in OpenJPEG 2.5.1 due to improper error handling in `opj_jp2_read_header`. The PoC includes a crafted JP2 file and a C program to trigger the leak, validated with Valgrind output.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: OpenJPEG 2.5.1
No auth needed
Prerequisites: OpenJPEG 2.5.1 compiled with debug symbols · Valgrind for memory leak detection
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0032
EPSS Percentile 56.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-457
Status published
Products (1)
uclouvain/openjpeg < 2.5.3
Published Aug 05, 2025
Tracked Since Feb 18, 2026