CVE-2025-30317

| EUVD-2025-17697 HIGH
2025-06-10 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17697
CVE Published
Jun 10, 2025 - 17:21 nvd
HIGH 7.8

Tags

Buffer Overflow RCE Adobe Indesign

Description

InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Analysis

Heap-based buffer overflow vulnerability in Adobe InDesign Desktop that allows arbitrary code execution when a user opens a malicious file. Affected versions include InDesign ID20.2, ID19.5.3, and earlier. The vulnerability requires user interaction but presents high severity risk (CVSS 7.8) with potential for complete system compromise in the context of the affected user's privileges.

Technical Context

This vulnerability exploits a heap-based buffer overflow (CWE-122) in Adobe InDesign's file parsing logic. CWE-122 represents a classic memory safety issue where data written to a heap buffer exceeds allocated bounds, corrupting adjacent memory structures and potentially allowing an attacker to overwrite function pointers or other critical heap metadata. The vulnerability is triggered during file deserialization when InDesign processes maliciously crafted document files (.indd or related formats). The affected product is Adobe InDesign Desktop (CPE: adobe indesign), with specific vulnerable versions being ID20.2 and earlier in the 20.x branch, and ID19.5.3 and earlier in the 19.x branch. The root cause lies in insufficient bounds checking during heap memory operations when parsing untrusted file content.

Affected Products

Adobe InDesign Desktop (['ID20.2 and earlier', 'ID19.5.3 and earlier'])

Remediation

Users should immediately update Adobe InDesign to versions later than ID20.2 (recommend ID21.x or latest available) or ID19.5.3 (if on 19.x branch). Adobe typically releases security updates through the Creative Cloud desktop application or manual download from adobe.com/downloads. As an immediate mitigation: (1) disable file preview features in file managers that may auto-parse InDesign files, (2) educate users to avoid opening InDesign files from untrusted sources (email attachments, unknown websites), (3) implement email filtering to block or sandbox InDesign file attachments if possible, (4) consider disabling InDesign auto-open features in browser downloads. Patches should be applied through Adobe's official update mechanism within 30 days of release. Consult Adobe Security Advisories (typically published at adobe.com/security or PSIRT channels) for specific patch version numbers and rollout schedules.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Share

CVE-2025-30317 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy