CVE-2024-25445 – This vulnerability in Hugin 2022.0.0 allows an ... (How to Fix)

Q: What is the severity of CVE-2024-25445?

CVE-2024-25445 has a CVSS score of 7.8 (HIGH). This vulnerability in Hugin 2022.0.0 allows an attacker to cause an assertion failure in the Transform::transform function by providing improper values. This can lead to denial of service (application crash) when processing malicious image files. Users of Hugin 2022.0.0 who process untrusted image files are affected.

📋 TL;DR

This vulnerability in Hugin 2022.0.0 allows an attacker to cause an assertion failure in the Transform::transform function by providing improper values. This can lead to denial of service (application crash) when processing malicious image files. Users of Hugin 2022.0.0 who process untrusted image files are affected.

💻 Affected Systems

Products:

Hugin

Versions: 2022.0.0

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Hugin 2022.0.0 are vulnerable regardless of configuration.

📦 What is this software?

Hugin by Hugin Project

View all CVEs affecting Hugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potentially disrupting image processing workflows or automated systems using Hugin.

🟠

Likely Case

Application crash when processing specially crafted image files, requiring manual restart of the application.

🟢

If Mitigated

No impact if patched or if only trusted image files are processed.

🌐 Internet-Facing: LOW - Hugin is typically not exposed directly to internet-facing services.

🏢 Internal Only: MEDIUM - Internal users could be affected if processing untrusted image files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user to open a malicious image file. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.0.0 with patches from launchpad bug reports

Vendor Advisory: https://bugs.launchpad.net/hugin/+bug/2025038

Restart Required: Yes

Instructions:

1. Check your distribution's package manager for updated Hugin packages. 2. For Fedora: 'sudo dnf update hugin'. 3. For other distributions, check respective package repositories. 4. Restart Hugin after update.

🔧 Temporary Workarounds

Avoid processing untrusted files

all

Only process image files from trusted sources until patched.

🧯 If You Can't Patch

Implement strict file validation for image processing workflows
Isolate Hugin usage to dedicated systems with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check Hugin version: 'hugin --version' should show 2022.0.0

Check Version:

hugin --version

Verify Fix Applied:

After update, verify version is no longer 2022.0.0 or check with 'rpm -q hugin' on RPM systems or 'dpkg -l hugin' on Debian systems

📡 Detection & Monitoring

Log Indicators:

Application crash logs mentioning HuginBase::PTools::Transform::transform
Segmentation fault errors in system logs when Hugin runs

SIEM Query:

source="*hugin*" AND ("assertion failure" OR "segmentation fault" OR "crash")

📊 Metadata

CVE ID: CVE-2024-25445

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-617

Published: February 9, 2024

Last Updated: November 4, 2025

🔗 References

https://bugs.launchpad.net/hugin/+bug/2025038 Exploit,Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAV7IMHCOIMBEIW42KM2QUJ4MDQLNW3Z/
https://bugs.launchpad.net/hugin/+bug/2025038 Exploit,Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAV7IMHCOIMBEIW42KM2QUJ4MDQLNW3Z/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAV7IMHCOIMBEIW42KM2QUJ4MDQLNW3Z/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25445, you might also want to check these: