Login Sign Up

CVE-2025-15537

5.3 MEDIUM
Denial of Service Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability exists in Mapnik's shapefile input plugin, specifically in the dbf_file::string_value function. This allows local attackers to potentially execute arbitrary code or cause denial of service. Only Mapnik installations up to version 4.2.0 are affected.

💻 Affected Systems

Products:
  • Mapnik
Versions: Up to and including 4.2.0
Operating Systems: All platforms running Mapnik
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using Mapnik's shapefile input functionality. The vulnerability is triggered when processing malicious shapefiles.

📦 What is this software?

Mapnik by Mapnik

View all CVEs affecting Mapnik →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise via arbitrary code execution.

🟠

Likely Case

Application crash (denial of service) or limited information disclosure from heap memory.

🟢

If Mitigated

Minimal impact if proper access controls prevent local attackers from accessing Mapnik processes.

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely.
🏢 Internal Only: MEDIUM - Local attackers could exploit if they have access to Mapnik processes, but requires specific conditions.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and ability to supply malicious shapefiles to Mapnik. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/mapnik/mapnik/issues/4543

Restart Required: Yes

Instructions:

No official patch available. Monitor Mapnik repository for updates. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Restrict shapefile processing

all

Limit Mapnik's ability to process untrusted shapefiles by implementing input validation and access controls.

Application sandboxing

linux

Run Mapnik processes in containers or with reduced privileges to limit impact of potential exploitation.

docker run --security-opt=no-new-privileges -u nobody mapnik-container

🧯 If You Can't Patch

  • Implement strict access controls to prevent local users from supplying shapefiles to Mapnik processes
  • Monitor for abnormal Mapnik process behavior or crashes indicating exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Mapnik version: mapnik-config --version. If version is 4.2.0 or earlier, system is vulnerable.

Check Version:

mapnik-config --version

Verify Fix Applied:

No fix available to verify. Monitor Mapnik repository for security updates.

📡 Detection & Monitoring

Log Indicators:

  • Mapnik process crashes
  • Abnormal memory usage patterns in Mapnik processes
  • Unexpected shapefile processing errors

Network Indicators:

  • None - local-only vulnerability

SIEM Query:

process_name:"mapnik" AND (event_type:"crash" OR memory_usage > threshold)

📊 Metadata

CVE ID: CVE-2025-15537
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.02% exploit probability (5.4th percentile)
Published: January 18, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15537, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)