Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3DescriptionCVE.org
A Heap-based Buffer Overflow vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.
AnalysisAI
Heap-based buffer overflow vulnerability in PRJ file parsing that allows local attackers with user interaction to achieve high-impact memory corruption, potentially leading to arbitrary code execution or information disclosure. The vulnerability stems from insufficient validation of user-supplied data within PRJ file structures, enabling attackers to read and write past allocated buffer boundaries. No current KEV status or active exploitation data is available in public records, but the local attack vector and requirement for user interaction (file opening) suggest moderate real-world risk despite the high CVSS score.
Technical ContextAI
This vulnerability exists in the parsing logic of PRJ (project) file formats, likely within CAD, project management, or engineering software that handles project file serialization. CWE-122 (Heap-based Buffer Overflow) indicates the root cause is a classic memory safety issue where the parser fails to enforce bounds checking when reading or writing data from/to heap-allocated structures during deserialization of PRJ file contents. The vulnerability is triggered during file parsing, suggesting the parser does not validate buffer sizes against user-controlled length fields or offsets within the PRJ file format. This is typical of legacy binary format parsers written in memory-unsafe languages (C/C++) that assume well-formed input without defensive validation.
RemediationAI
Immediate actions: (1) Patch all affected products to vendor-supplied security updates; apply patches from respective vendor security advisory pages once released, (2) Disable or restrict PRJ file parsing if not essential, (3) Implement strict file validation: validate PRJ file signatures and structure before parsing, enforce maximum file sizes and field lengths. Medium-term: (1) Apply input validation sanitization—verify all length fields and offsets in PRJ files before allocating/accessing memory, (2) Use memory-safe parsing libraries or rewrite parsers with bounds checking, (3) Enable address space layout randomization (ASLR) and stack canaries at OS level to mitigate exploitation impact. Workarounds: (1) Do not open PRJ files from untrusted sources, (2) Use application sandboxing or separate non-privileged accounts for file parsing, (3) Monitor for suspicious PRJ file modifications. Vendor patches must be obtained from official sources (Autodesk Security Advisory, Microsoft Security Update, etc.); links depend on identification of specific affected product.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18551