How to fix CVE-2025-43590?

Within 24 hours: Issue security alert to all InDesign users; restrict file sharing from untrusted external sources. Within 7 days: Implement mandatory user awareness training on opening files only from trusted sources; monitor InDesign process execution logs for suspicious activity. Within 30 days: Evaluate upgrade path to patched versions when available; implement application whitelisting to restrict InDesign execution to approved contexts.

Is Indesign affected by CVE-2025-43590?

Adobe InDesign Desktop contains a critical out-of-bounds write vulnerability (CVE-2025-43590) that allows attackers to execute arbitrary code on affected systems when users open malicious files.

CVE-2025-43590

EUVD-2025-17703 HIGH

2025-06-10 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17703

CVE Published

Jun 10, 2025 - 17:23 nvd

HIGH 7.8

Description

InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Analysis

CVE-2025-43590 is an out-of-bounds write vulnerability in Adobe InDesign Desktop that allows arbitrary code execution with the privileges of the current user. Affected versions include ID20.2, ID19.5.3, and earlier releases. Exploitation requires user interaction-specifically opening a malicious file-but once triggered, grants an attacker full code execution capabilities in the context of the authenticated user.

Technical Context

This vulnerability is classified as CWE-787 (Out-of-bounds Write), a memory corruption flaw where the application writes data beyond the boundaries of allocated memory buffers. In the context of Adobe InDesign—a complex document processing application handling multiple file formats (INDD, PDF, EPS, etc.)—this flaw likely occurs during parsing or rendering of crafted document structures. The out-of-bounds write could overwrite adjacent heap or stack memory, corrupting function pointers, object metadata, or return addresses. Adobe InDesign's document parsing engine (handling proprietary INDD formats and embedded assets) is the probable attack surface. The vulnerability affects CPE entries for Adobe InDesign: cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:* (versions ≤20.2 on Desktop).

Affected Products

Adobe InDesign Desktop (['ID20.2 and earlier', 'ID19.5.3 and earlier'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

CVE-2025-43590 vulnerability details – vuln.today

Back

CVE-2025-43590

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-43590

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code