CVE-2025-55304Inefficient Algorithmic Complexity in Exiv2

CWE-407Inefficient Algorithmic Complexity11 documents7 sources
Severity
1.8LOWNVD
OSV8.1
EPSS
0.0%
top 99.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Exiv2Debian Exiv2
Timeline
PublishedAug 29
Latest updateMar 19

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages6 packages

CVEListV5exiv2/exiv2< 0.28.6
NVDexiv2/exiv2< 0.28.6
debiandebian/exiv2< exiv2 0.28.7+dfsg-2 (forky)
Debianexiv2/exiv2< 0.28.7+dfsg-2
Ubuntuexiv2/exiv2< 0.27.5-3ubuntu1.1+9

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
exiv2 regression2026-03-19
OSV
exiv2 vulnerabilities2026-03-18
CVEList
Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata2025-08-29
OSV
Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata2025-08-29
OSV
CVE-2025-55304: Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata2025-08-29

📋Vendor Advisories

4
Ubuntu
Exiv2 regression2026-03-19
Ubuntu
Exiv2 vulnerabilities2026-03-18
Red Hat
exiv2: Exiv2 has quadratic performance in ICC profile parsing2025-08-29
Debian
CVE-2025-55304: exiv2 - Exiv2 is a C++ library and a command-line utility to read, write, delete and mod...2025