CVE-2025-29769 – A heap buffer overflow vulnerability in libvips... (How to Fix)

Q: What is the severity of CVE-2025-29769?

CVE-2025-29769 has a CVSS score of 5.5 (MEDIUM). A heap buffer overflow vulnerability in libvips' heifsave operation when processing specially crafted TIFF images with 4 channels. This could cause application crashes and potentially allow arbitrary code execution. Affects applications using libvips for image processing.

📋 TL;DR

A heap buffer overflow vulnerability in libvips' heifsave operation when processing specially crafted TIFF images with 4 channels. This could cause application crashes and potentially allow arbitrary code execution. Affects applications using libvips for image processing.

💻 Affected Systems

Products:

libvips
applications using libvips library

Versions: All versions before 8.16.1

Operating Systems: All platforms running libvips

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers only when converting specially crafted 4-channel TIFF images to HEIF format using heifsave operation.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Libvips by Libvips

View all CVEs affecting Libvips →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the overflow can be controlled to execute arbitrary code.

🟠

Likely Case

Application crash (denial of service) when processing malicious TIFF images converted to HEIF format.

🟢

If Mitigated

Application crash with no further impact if memory protections (ASLR, DEP) are effective.

🌐 Internet-Facing: MEDIUM - Requires processing user-uploaded TIFF images and converting to HEIF format.

🏢 Internal Only: LOW - Typically requires user interaction or specific image processing workflows.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires crafting specific TIFF images with 4 channels and triggering HEIF conversion. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.16.1

Vendor Advisory: https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm

Restart Required: Yes

Instructions:

1. Update libvips to version 8.16.1 or later. 2. For package managers: 'apt update && apt upgrade libvips' (Debian/Ubuntu) or 'yum update libvips' (RHEL/CentOS). 3. Recompile applications using libvips if statically linked. 4. Restart affected services.

🔧 Temporary Workarounds

Disable HEIF conversion

all

Prevent processing of TIFF images through heifsave operation

Configure applications to avoid HEIF output format for TIFF inputs

Input validation

all

Reject TIFF images with 4 channels before processing

Implement pre-processing checks for channel count in TIFF images

🧯 If You Can't Patch

Implement strict input validation for TIFF images, particularly checking channel count
Use web application firewalls or reverse proxies to filter/block suspicious TIFF uploads

🔍 How to Verify

Check if Vulnerable:

Check libvips version: 'vips --version' or check package manager. If version < 8.16.1, system is vulnerable.

Check Version:

vips --version

Verify Fix Applied:

Confirm libvips version is 8.16.1 or higher: 'vips --version | grep -q "8\.16\.[1-9]\|[89]\.[0-9][0-9]\.[0-9]\+" && echo "Patched"'

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing TIFF images
Memory access violation errors in logs
Failed HEIF conversion attempts

Network Indicators:

Unusual TIFF file uploads followed by conversion requests
Multiple failed image processing requests

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "heap overflow" OR "buffer overflow") AND ("libvips" OR "heifsave" OR "TIFF")

📊 Metadata

CVE ID: CVE-2025-29769

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-122

EPSS Score: 0.1% exploit probability (27.3th percentile)

Published: April 7, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/libvips/libvips/commit/9ab6784f693de50b00fa535b9efbbe9d2cbf71f2 Patch
https://github.com/libvips/libvips/pull/4392 Issue Tracking
https://github.com/libvips/libvips/pull/4394 Issue Tracking
https://github.com/libvips/libvips/security/advisories/GHSA-f8r8-43hh-rghm Patch,Vendor Advisory
https://issues.oss-fuzz.com/issues/396460413 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00044.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29769, you might also want to check these: