Login Sign Up

CVE-2019-25050

7.8 HIGH
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

This CVE describes a stack-based buffer overflow vulnerability in netCDF component of GDAL software. Attackers can exploit this to execute arbitrary code or cause denial of service by providing specially crafted netCDF files. Organizations using GDAL for geospatial data processing are affected.

💻 Affected Systems

Products:
  • GDAL (Geospatial Data Abstraction Library)
Versions: GDAL 2.4.2 through 3.0.4
Operating Systems: All platforms where GDAL is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing netCDF files with specially crafted attributes.

📦 What is this software?

Gdal by Osgeo

View all CVEs affecting Gdal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service for geospatial processing services.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place.

🌐 Internet-Facing: MEDIUM - Requires processing of malicious netCDF files, which could be uploaded via web interfaces.
🏢 Internal Only: MEDIUM - Internal users could exploit via malicious files in shared storage or processing pipelines.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available in oss-fuzz reports. Exploitation requires victim to process malicious netCDF file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GDAL 3.0.5 and later

Vendor Advisory: https://github.com/OSGeo/gdal/security/advisories

Restart Required: Yes

Instructions:

1. Update GDAL to version 3.0.5 or later. 2. For Linux: Use package manager (apt-get upgrade gdal, yum update gdal). 3. For Windows: Download updated binaries from gdal.org. 4. Restart applications using GDAL.

🔧 Temporary Workarounds

Disable netCDF support

linux

Temporarily disable netCDF file processing if not required

Recompile GDAL without netCDF support: ./configure --without-netcdf

Input validation

all

Implement strict validation of netCDF files before processing

🧯 If You Can't Patch

  • Implement strict file upload controls and validation for netCDF files
  • Run GDAL in sandboxed/containerized environment with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check GDAL version: gdalinfo --version. If version is between 2.4.2 and 3.0.4 inclusive, system is vulnerable.

Check Version:

gdalinfo --version

Verify Fix Applied:

After update, verify version is 3.0.5 or later: gdalinfo --version

📡 Detection & Monitoring

Log Indicators:

  • GDAL segmentation faults
  • Application crashes when processing netCDF files
  • Memory access violation errors

Network Indicators:

  • Unusual netCDF file uploads to geospatial services
  • Large netCDF files with abnormal attribute structures

SIEM Query:

source="application.log" AND ("segmentation fault" OR "buffer overflow") AND ("gdal" OR "netcdf")

📊 Metadata

CVE ID: CVE-2019-25050
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: July 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25050, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)