Login Sign Up

CVE-2025-64183

7.5 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in OpenEXR's Python wrapper that occurs when reading EXR image files. Attackers could exploit this to cause crashes or potentially execute arbitrary code. Affected users include anyone processing EXR files with vulnerable OpenEXR versions through Python interfaces.

💻 Affected Systems

Products:
  • OpenEXR
  • Applications using OpenEXR Python bindings
Versions: 3.2.0-3.2.4, 3.3.0-3.3.5, 3.4.0-3.4.2
Operating Systems: All platforms with Python support
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Python interface usage; C++ implementations are not vulnerable

📦 What is this software?

Openexr by Openexr

View all CVEs affecting Openexr →

Openexr by Openexr

View all CVEs affecting Openexr →

Openexr by Openexr

View all CVEs affecting Openexr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if an attacker can supply malicious EXR files

🟠

Likely Case

Application crashes or denial of service when processing specially crafted EXR files

🟢

If Mitigated

Limited to denial of service if memory corruption doesn't lead to code execution

🌐 Internet-Facing: MEDIUM - Exploitation requires file upload/processing capabilities
🏢 Internal Only: LOW - Requires local file processing or internal file sharing

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious EXR files and triggering Python parsing

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.5, 3.3.6, or 3.4.3

Vendor Advisory: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m

Restart Required: Yes

Instructions:

1. Identify current OpenEXR version. 2. Upgrade to patched version via package manager or source compilation. 3. Restart affected applications. 4. Recompile any Python applications using OpenEXR bindings.

🔧 Temporary Workarounds

Disable Python bindings

all

Remove or disable Python interface if not required

pip uninstall openexr
Remove Python bindings from system

Input validation

all

Validate EXR files before processing with vulnerable versions

🧯 If You Can't Patch

  • Isolate systems processing EXR files in sandboxed environments
  • Implement strict file upload controls and scanning for EXR files

🔍 How to Verify

Check if Vulnerable:

Check OpenEXR version: python -c "import OpenEXR; print(OpenEXR.__version__)" or check system package version

Check Version:

python -c "import OpenEXR; print(OpenEXR.__version__)"

Verify Fix Applied:

Confirm version is 3.2.5, 3.3.6, or 3.4.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing EXR files
  • Memory access violation errors in Python processes

Network Indicators:

  • Unusual EXR file uploads to web applications
  • Large volumes of EXR file transfers

SIEM Query:

source="application.log" AND ("segmentation fault" OR "access violation") AND "EXR"

📊 Metadata

CVE ID: CVE-2025-64183
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-416
EPSS Score: 0.06% exploit probability (18.7th percentile)
Published: November 10, 2025
Last Updated: December 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64183, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)