CVE-2025-2760 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-2760?

CVE-2025-2760 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious XWD image files in GIMP. The integer overflow during file parsing enables buffer overflow leading to remote code execution. All GIMP users who open untrusted XWD files are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious XWD image files in GIMP. The integer overflow during file parsing enables buffer overflow leading to remote code execution. All GIMP users who open untrusted XWD files are affected.

💻 Affected Systems

Products:

GIMP (GNU Image Manipulation Program)

Versions: Versions prior to 2.10.40 and 3.0.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with XWD file support enabled are vulnerable. XWD (X Window Dump) is a legacy format but still supported.

📦 What is this software?

Gimp by Gimp

View all CVEs affecting Gimp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the GIMP user, potentially leading to lateral movement, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation or malware installation on the user's system when opening a malicious XWD file from email or web download.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the GIMP process.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but common attack vectors like email attachments or web downloads exist.

🏢 Internal Only: LOW - Primarily affects individual workstations rather than servers, though could be used in targeted attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open malicious file. Exploit development requires bypassing modern OS protections like ASLR and DEP.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GIMP 2.10.40 and 3.0.0

Vendor Advisory: https://www.gimp.org/news/2025/10/15/gimp-2-10-40-released/

Restart Required: No

Instructions:

1. Download latest GIMP version from official website or package manager. 2. Install over existing version. 3. Verify installation with version check.

🔧 Temporary Workarounds

Disable XWD file support

linux

Remove or disable XWD file format plugin to prevent parsing of malicious files

mv /usr/lib/gimp/2.0/plug-ins/file-xwd /usr/lib/gimp/2.0/plug-ins/file-xwd.disabled
Restart GIMP

File association removal

windows

Remove .xwd file association with GIMP to prevent automatic opening

🧯 If You Can't Patch

Implement application allowlisting to prevent execution of unauthorized GIMP versions
Use sandboxing solutions to isolate GIMP from critical system resources

🔍 How to Verify

Check if Vulnerable:

Check GIMP version: gimp --version. If version is below 2.10.40, system is vulnerable.

Check Version:

gimp --version

Verify Fix Applied:

Verify GIMP version is 2.10.40 or higher: gimp --version | grep -E '2\.10\.(4[0-9]|[5-9][0-9])|3\.'

📡 Detection & Monitoring

Log Indicators:

GIMP crash logs with XWD file references
Unexpected GIMP process spawning child processes
File access to .xwd files from untrusted sources

Network Indicators:

Downloads of .xwd files from suspicious sources
Email attachments with .xwd extensions

SIEM Query:

process_name:"gimp" AND file_extension:".xwd" AND event_type:"process_creation"

📊 Metadata

CVE ID: CVE-2025-2760

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

EPSS Score: 0.17% exploit probability (37.9th percentile)

Published: April 23, 2025

Last Updated: November 3, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-203/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00022.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2760, you might also want to check these: