Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Heap-based buffer overflow vulnerability in Adobe InDesign Desktop that allows arbitrary code execution when a user opens a malicious file. Affected versions include InDesign ID20.2, ID19.5.3, and earlier. The vulnerability requires user interaction but presents high severity risk (CVSS 7.8) with potential for complete system compromise in the context of the affected user's privileges.
Technical ContextAI
This vulnerability exploits a heap-based buffer overflow (CWE-122) in Adobe InDesign's file parsing logic. CWE-122 represents a classic memory safety issue where data written to a heap buffer exceeds allocated bounds, corrupting adjacent memory structures and potentially allowing an attacker to overwrite function pointers or other critical heap metadata. The vulnerability is triggered during file deserialization when InDesign processes maliciously crafted document files (.indd or related formats). The affected product is Adobe InDesign Desktop (CPE: adobe indesign), with specific vulnerable versions being ID20.2 and earlier in the 20.x branch, and ID19.5.3 and earlier in the 19.x branch. The root cause lies in insufficient bounds checking during heap memory operations when parsing untrusted file content.
RemediationAI
Users should immediately update Adobe InDesign to versions later than ID20.2 (recommend ID21.x or latest available) or ID19.5.3 (if on 19.x branch). Adobe typically releases security updates through the Creative Cloud desktop application or manual download from adobe.com/downloads. As an immediate mitigation: (1) disable file preview features in file managers that may auto-parse InDesign files, (2) educate users to avoid opening InDesign files from untrusted sources (email attachments, unknown websites), (3) implement email filtering to block or sandbox InDesign file attachments if possible, (4) consider disabling InDesign auto-open features in browser downloads. Patches should be applied through Adobe's official update mechanism within 30 days of release. Consult Adobe Security Advisories (typically published at adobe.com/security or PSIRT channels) for specific patch version numbers and rollout schedules.
Adobe InDesign version 11.4.1 and earlier, Adobe InDesign Server 11.0.0 and earlier have an exploitable memory corruptio
An issue was discovered in Adobe InDesign 12.1.0 and earlier versions. Rated critical severity (CVSS 9.8), this vulnerab
Adobe InDesign versions 14.0.1 and below have an unsafe hyperlink processing vulnerability. Rated critical severity (CVS
Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bounds Write vulnerability in the CoolType library. R
Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a crafted fil
Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bounds Write vulnerability when parsing a crafted fil
InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by an out-of-bounds write vulnerability that could r
InDesign Desktop versions ID20.0, ID19.5.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that c
InDesign Desktop versions ID20.0, ID19.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnera
InDesign Desktop versions ID20.0, ID19.5.1 and earlier are affected by an out-of-bounds write vulnerability that could r
InDesign Desktop versions ID20.0, ID19.5.1 and earlier are affected by an out-of-bounds write vulnerability that could r
Use-after-free vulnerability in Adobe InDesign Desktop that allows arbitrary code execution with the privileges of the c
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17697