EUVD-2025-208793CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
3Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Analysis
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, allowing attackers to read memory beyond allocated buffer boundaries. Affinity version 3.0.1.3808 and potentially earlier versions are affected. By crafting a malicious EMF file, an unauthenticated attacker with local file system access can trigger the vulnerability through user interaction (opening the file), potentially disclosing sensitive information such as API keys, credentials, or other data resident in adjacent memory regions. The vulnerability has a CVSS score of 6.1 indicating medium severity with high confidentiality impact but limited integrity and availability consequences.
Technical Context
The vulnerability resides in Canva Affinity's EMF (Enhanced Metafile) file parser, a Microsoft vector graphics format commonly used in Windows environments. EMF files contain structured records that describe graphical operations; the parser fails to properly validate buffer boundaries when processing these records, resulting in an out-of-bounds read condition classified under CWE-125 (Out-of-bounds Read). The affected product is identified via CPE cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:*, indicating all versions of Canva Affinity may be vulnerable. The root cause is improper input validation during EMF record deserialization; insufficient bounds checking allows reading of memory locations beyond the intended buffer allocation, a classic memory safety issue common in C/C++ implementations of file format parsers.
Affected Products
Canva Affinity version 3.0.1.3808 is explicitly confirmed as vulnerable per EUVD-2025-208793. The CPE designation cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:* indicates the vulnerability potentially affects all versions of Canva Affinity, though only 3.0.1.3808 is directly mentioned in available intelligence. Users should consult Canva's security trust portal at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62 for definitive affected version ranges and patched versions. Talos Intelligence reported this vulnerability under identifier TALOS-2025-2298, available at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2298.
Remediation
Upgrade Canva Affinity to the latest patched version released by Canva following the security advisory at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62. Until patching is completed, implement compensating controls including restricting use of Affinity to trusted, internally-sourced design files only and avoiding opening EMF files from untrusted origins or third-party sources. Additionally, run Affinity with least-privilege user accounts and utilize operating system-level sandboxing or application whitelisting to limit the impact of potential memory disclosure. Monitor the Talos Intelligence report and NVD entry at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2298 and https://nvd.nist.gov/vuln/detail/CVE-2025-62500 for patch availability timelines and additional technical details.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today