CVE-2025-48074: OpenEXR Out-Of-Memory via Unbounded File Header Values

July 31, 2025 (updated August 1, 2025)

The OpenEXR file format defines many information about the final image inside of the file header, such as the size of data/display window.

The application trusts the value of dataWindow size provided in the header of the input file, and performs computations based on this value.

This may result in unintended behaviors, such as excessively large number of iterations and/or huge memory allocations.

References

github.com/AcademySoftwareFoundation/openexr
github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf
github.com/ShielderSec/poc/tree/main/CVE-2025-48074
github.com/advisories/GHSA-x22w-82jp-8rvf
nvd.nist.gov/vuln/detail/CVE-2025-48074

Code Behaviors & Features

Detect and mitigate CVE-2025-48074 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →