EUVD-2025-208800
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
3Description
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
Analysis
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) image processing functionality of Canva Affinity, enabling attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, allowing unauthenticated local attackers with no special privileges to trigger the flaw via user interaction (opening a malicious file). Successful exploitation can disclose sensitive information from process memory, with a secondary risk of application instability (low availability impact). No active exploitation in the wild or public proof-of-concept has been confirmed based on available intelligence, but the vulnerability has been formally disclosed by Talos Intelligence and tracked in NIST NVD and ENISA EUVD databases.
Technical Context
The vulnerability resides in the EMF (Enhanced Metafile) file parsing code within Canva Affinity, a professional design application. EMF is a Windows vector graphics format that stores drawing instructions; improper bounds checking during EMF record parsing allows an attacker to craft malicious EMF files with invalid record sizes or offsets that cause out-of-bounds memory access. This falls under CWE-125 (Out-of-bounds Read), a memory safety defect where the application reads data from memory addresses beyond the intended buffer boundaries without proper validation. The affected product is identified via CPE as cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:*, indicating the flaw affects the Affinity product line. EMF parsing is a common attack surface in document and media applications due to the complexity of the format and legacy codec implementations.
Affected Products
Canva Affinity version 3.0.1.3808 is confirmed affected according to ENISA EUVD tracking (EUVD-2025-208800). The CPE designation cpe:2.3:a:canva:affinity:*:*:*:*:*:*:*:* indicates that the vulnerability potentially affects multiple versions of the Affinity product line, though version-specific details are limited in current disclosures. Users should consult the Canva Trust Center security advisory at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62 and the Talos Intelligence detailed vulnerability report at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2320 for authoritative information on affected version ranges and patch availability.
Remediation
Organizations should upgrade Canva Affinity to the patched version released by Canva in response to CVE-2025-65119, as announced in the vendor advisory at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62. Until patching is feasible, restrict user access to untrusted EMF files by disabling EMF import functionality if possible through application preferences, educating users to avoid opening EMF files from untrusted sources, and implementing file type restrictions at network gateways to prevent delivery of EMF files to systems running vulnerable Affinity versions. Consider using application sandboxing or containerization to limit memory disclosure impact if Affinity must handle potentially malicious files. Monitor Talos Intelligence at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2320 and Canva's security channel for patch release announcements.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today