CVE-2025-21124 – Adobe InDesign has an out-of-bounds read vulner... (How to Fix)

Q: What is the severity of CVE-2025-21124?

CVE-2025-21124 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents when users open malicious files. This could help bypass security mitigations like ASLR. Affected users are those running vulnerable versions of InDesign Desktop.

📋 TL;DR

Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents when users open malicious files. This could help bypass security mitigations like ASLR. Affected users are those running vulnerable versions of InDesign Desktop.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: ID20.0, ID19.5.1 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable when opening files.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory disclosure enables ASLR bypass, potentially facilitating more severe attacks like remote code execution through chained exploits.

🟠

Likely Case

Information disclosure of memory contents, which could reveal sensitive data or system information.

🟢

If Mitigated

Limited impact if proper file handling controls and patching are implemented.

🌐 Internet-Facing: LOW - Requires user interaction to open malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious file) and memory manipulation expertise.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ID20.0.1 and ID19.5.2 or later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb25-01.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' tab. 3. Find InDesign and click 'Update'. 4. Restart computer after installation completes.

🔧 Temporary Workarounds

Restrict file handling

all

Configure InDesign to only open files from trusted sources using application restrictions.

Disable automatic file opening

all

Configure system to prompt before opening InDesign files from unknown sources.

🧯 If You Can't Patch

Restrict user permissions to only open InDesign files from trusted network locations
Implement application whitelisting to prevent execution of unauthorized InDesign instances

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is ID20.0, ID19.5.1 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where "name like 'Adobe InDesign%'" get version
On macOS: /Applications/Adobe\ InDesign\ */Adobe\ InDesign.app/Contents/Info.plist | grep -A1 CFBundleShortVersionString

Verify Fix Applied:

Verify version is ID20.0.1, ID19.5.2 or later via Help > About InDesign.

📡 Detection & Monitoring

Log Indicators:

InDesign crash logs with memory access violations
Unexpected file opening events in application logs

Network Indicators:

Downloads of InDesign files from untrusted sources

SIEM Query:

source="*indesign*" AND (event_type="crash" OR file_extension="indd" OR file_extension="indl")

📊 Metadata

CVE ID: CVE-2025-21124

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.09% exploit probability (25.5th percentile)

Published: February 11, 2025

Last Updated: March 3, 2025

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb25-01.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21124, you might also want to check these: