EUVD-2025-208801CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
3Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Analysis
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, affecting version 3.0.1.3808 and potentially earlier releases. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from adjacent memory regions. The vulnerability requires user interaction (opening a file) but no elevated privileges, with a CVSS score of 6.1 indicating moderate severity; while not currently listed in CISA's Known Exploited Vulnerabilities catalog, the straightforward attack vector and information disclosure impact warrant prompt patching.
Technical Context
The vulnerability resides in Canva Affinity's EMF file parser, which handles Microsoft's Enhanced Metafile format—a vector graphics file format used for rendering graphics and text. The root cause is classified as CWE-125 (Out-of-bounds Read), a memory safety issue where the parser fails to properly validate EMF record boundaries or array indices before accessing memory. When processing a specially crafted EMF file with malformed record structures or size fields, the parser reads beyond allocated buffer boundaries, accessing adjacent heap or stack memory. This is particularly dangerous in graphical applications where EMF files may be automatically processed from untrusted sources. The affected product is identified via CPE as cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:*, with confirmed impact on version 3.0.1.3808.
Affected Products
Canva Affinity versions including 3.0.1.3808 are confirmed vulnerable. The CPE identifier cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:* indicates the vulnerability may affect a broader range of Affinity versions; users of any Affinity release should assume potential vulnerability until vendor communication clarifies the exact version range. Official vulnerability details and affected version information are available via Talos Intelligence's advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2301 and Canva's trust portal at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62. The ENISA EUVD ID EUVD-2025-208801 provides European vulnerability database cross-reference.
Remediation
Immediately upgrade Canva Affinity to the patched version released by Canva in response to CVE-2025-66000; consult Canva's official advisory at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62 for the exact patched version number and download links. If immediate patching is not possible, implement procedural controls by restricting the opening of EMF files from untrusted sources and disabling automatic EMF processing in Affinity preferences if available. For enterprise deployments, configure application whitelisting or sandboxing to isolate Affinity when processing external design files, and conduct user training to avoid opening unsolicited EMF files. Once patching is completed, verify the update via Affinity's About dialog or update log to confirm the vulnerability has been addressed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today