CVE-2025-47105 – Adobe InDesign has an out-of-bounds read vulner... (How to Fix)

Q: What is the severity of CVE-2025-47105?

CVE-2025-47105 has a CVSS score of 5.5 (MEDIUM). Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents when users open malicious files. This could help bypass security mitigations like ASLR. Affected users are those running vulnerable versions of InDesign Desktop.

📋 TL;DR

Adobe InDesign has an out-of-bounds read vulnerability that could allow attackers to read sensitive memory contents when users open malicious files. This could help bypass security mitigations like ASLR. Affected users are those running vulnerable versions of InDesign Desktop.

💻 Affected Systems

Products:

Adobe InDesign Desktop

Versions: ID20.2, ID19.5.3 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory disclosure could reveal sensitive information or facilitate more sophisticated attacks by bypassing ASLR protections.

🟠

Likely Case

Limited information disclosure from memory when users open specially crafted malicious files.

🟢

If Mitigated

No impact if users avoid opening untrusted files or have patched versions.

🌐 Internet-Facing: LOW - Requires user interaction with malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open malicious file, making exploitation dependent on social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ID20.2.1 and ID19.5.4 or later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb25-53.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' tab. 3. Find InDesign and click 'Update'. 4. Restart computer after update completes.

🔧 Temporary Workarounds

Restrict file opening

all

Configure InDesign to only open trusted files or disable automatic file opening

Application control

all

Use application whitelisting to restrict InDesign execution to trusted locations

🧯 If You Can't Patch

Implement strict policies against opening untrusted InDesign files
Use sandboxing or virtualization for InDesign when handling untrusted content

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is ID20.2 or earlier, or ID19.5.3 or earlier, you are vulnerable.

Check Version:

On Windows: wmic product where name="Adobe InDesign" get version. On macOS: /Applications/Adobe\ InDesign\ */Adobe\ InDesign.app/Contents/MacOS/Adobe\ InDesign -v

Verify Fix Applied:

Verify version is ID20.2.1 or later, or ID19.5.4 or later after patching.

📡 Detection & Monitoring

Log Indicators:

Unexpected InDesign crashes
Large memory reads from InDesign process
Suspicious file opens in InDesign

Network Indicators:

Downloads of InDesign files from untrusted sources

SIEM Query:

process_name:"InDesign.exe" AND (event_type:"process_crash" OR memory_usage_anomaly)

📊 Metadata

CVE ID: CVE-2025-47105

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: June 10, 2025

Last Updated: June 16, 2025

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb25-53.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47105, you might also want to check these: