Which versions of Exiv2 are affected by CVE-2025-55304?

CVE-2025-55304 is a low-severity vulnerability in Exiv2 (CVSS 1.8). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.. A patch is available.

Is there a public PoC exploit available for CVE-2025-55304?

Yes, a public proof-of-concept exploit is available for CVE-2025-55304. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-55304?

During next maintenance window: Apply vendor patches when convenient. Vendor patch is available.

Exiv2 CVE-2025-55304

Q: What is the CVSS score of CVE-2025-55304?

CVE-2025-55304 has a CVSS 4.0 base score of 1.8 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Inefficient Algorithmic Complexity (CWE-407)

2025-08-29 security-advisories@github.com

Information Disclosure Exiv2

1.8

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:09 vuln.today

Patch released

Mar 28, 2026 - 19:09 nvd

Patch available

PoC Detected

Sep 02, 2025 - 13:21 vuln.today

Public exploit code

CVE Published

Aug 29, 2025 - 15:15 nvd

LOW 1.8

DescriptionNVD

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

AnalysisAI

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Rated low severity (CVSS 1.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-407. Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6. Affected products include: Exiv2. Version information: version 0.28.5.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-55304 vulnerability details – vuln.today

Back