What is the CVSS score of CVE-2025-54874?

CVE-2025-54874 has a contested CVSS base score of 6.6 from a third party (e.g. CISA-ADP), while the vendor rates it Medium. vuln.today uses the vendor rating as authoritative.

Which versions of Openjpeg are affected by CVE-2025-54874?

Organizations using OpenJPEG from 2.5.1 should be aware of notable risk from CVE-2025-54874 rated CVSS 6.6. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-54874?

Yes, a public proof-of-concept exploit is available for CVE-2025-54874. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-54874?

Within 7 days: Identify affected systems running OpenJPEG from 2.5.1 and apply vendor patches promptly. Vendor patch is available.

Openjpeg CVE-2025-54874

MEDIUM

Use of Uninitialized Variable (CWE-457)

2025-08-05 security-advisories@github.com

Information Disclosure Openjpeg Red Hat Suse

Medium

Disputed · 6.6 NVD

Severity by source

Sources disagree (Medium–Critical)

GitHub Advisory PRIMARY

6.6 MEDIUM

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Red Hat

8.0 HIGH

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:05 vuln.today

Patch released

Mar 28, 2026 - 19:05 nvd

Patch available

PoC Detected

Sep 26, 2025 - 22:15 vuln.today

Public exploit code

CVE Published

Aug 05, 2025 - 15:15 nvd

MEDIUM 6.6

DescriptionGitHub Advisory

OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

AnalysisAI

OpenJPEG is an open-source JPEG 2000 codec. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-457. OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through 2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized. Affected products include: Uclouvain Openjpeg. Version information: through 2.5.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
SUSE Package Hub 15 SP6	Fixed
openSUSE Leap 15.6	Fixed
openSUSE Tumbleweed	Fixed
SUSE Linux Enterprise Desktop 15 SP7	Fixed
SUSE Linux Enterprise Desktop 15 SP7	Fixed

CVE-2025-54874 vulnerability details – vuln.today

Back

Openjpeg CVE-2025-54874

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code