CVE-2025-48074 — OpenEXR Out-Of-Memory via Unbounded File Header Values

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

How to fix CVE-2025-48074

To remediate CVE-2025-48074, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 3.3.3 or later

Is CVE-2025-48074 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 3.3.2, < 3.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48074
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-48074
PATCHgithub.com/AcademySoftwareFoundation/openexr
WEBgithub.com/AcademySoftwareFoundation/openexr/commit/2df7802a6421bf39ed73a607392f01b3c6da4e4a