CVE-2025-3409Improper Restriction of Operations within the Bounds of a Memory Buffer in STB Image.h

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-121Stack-based Buffer Overflow5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 52.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nothings STB Image.hNothings STB
Timeline
PublishedApr 8

Description

A vulnerability classified as critical has been found in Nothings stb up to f056911. This affects the function stb_include_string. The manipulation of the argument path_to_includes leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDnothings/stb_image.h2025-03-14
CVEListV5nothings/stbf056911

🔴Vulnerability Details

3
GHSA
GHSA-69p9-7943-9qhx: A vulnerability classified as critical has been found in Nothings stb up to f0569112025-04-08
CVEList
Nothings stb stb_include_string stack-based overflow2025-04-08
OSV
CVE-2025-3409: A vulnerability classified as critical has been found in Nothings stb up to f0569112025-04-08

📋Vendor Advisories

1
Debian
CVE-2025-3409: libstb - A vulnerability classified as critical has been found in Nothings stb up to f056...2025
CVE-2025-3409 — Nothings STB Image.h vulnerability | cvebase