CVE-2025-54874

CRITICAL

OpenJPEG <2.5.4 - Memory Corruption

Title source: llm

Description

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

Exploits (1)

github WORKING POC

by cyhe50 · cpoc

https://github.com/cyhe50/cve-2025-54874-poc

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/uclouvain/openjpeg/pull/1573

[Exploit, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2025-057_OpenCV

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 21.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-457

Status published

Affected Products (1)

uclouvain/openjpeg < 2.5.3

Timeline

Published Aug 05, 2025

Tracked Since Feb 18, 2026