CVE-2019-5063
Description
An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV 4.1.0. A specially crafted XML file can cause a buffer overflow, resulting in multiple heap corruptions and potential code execution. An attacker can provide a specially crafted file to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in OpenCV 4.1.0's XML persistence allows code execution via a crafted file.
Vulnerability
Overview
CVE-2019-5063 is a heap buffer overflow vulnerability in the data structure persistence functionality of OpenCV 4.1.0. The flaw resides in the XML parsing routine within persistence_xml.cpp, where a fixed-size buffer of 4112 bytes (CV_FS_MAX_LEN+16) is used to store character entity references. When an ampersand (&) is encountered, the parser reads alphanumeric characters until a semicolon; if the entity name does not match known strings, the raw data is copied into the buffer without proper bounds checking, leading to a heap overflow [2].
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted XML file that contains an overly long or malformed character entity reference. The attack requires user interaction (e.g., opening the file with an application using OpenCV's persistence module) but no authentication or special network access. The CVSSv3 score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting the low complexity and high impact [2][3].
Impact
Successful exploitation results in heap corruption, which can be leveraged to achieve arbitrary code execution in the context of the process using OpenCV. This could allow an attacker to compromise systems that rely on OpenCV for processing untrusted XML data, such as in image analysis pipelines or robotics applications [2].
Mitigation
The vulnerability was addressed in OpenCV versions after 4.1.0. Users should update to a patched release, such as opencv-python 4.1.0.25 or later [4]. No workarounds are documented; avoiding the parsing of untrusted XML files is recommended until an update can be applied.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | <= 4.1.0.25 | — |
opencv-python-headlessPyPI | <= 4.1.0.25 | — |
opencv-contrib-pythonPyPI | <= 4.1.0.25 | — |
opencv-contrib-python-headlessPyPI | <= 4.1.0.25 | — |
Affected products
5- ghsa-coords4 versionspkg:pypi/opencv-contrib-pythonpkg:pypi/opencv-contrib-python-headlesspkg:pypi/opencv-pythonpkg:pypi/opencv-python-headless
<= 4.1.0.25+ 3 more
- (no CPE)range: <= 4.1.0.25
- (no CPE)range: <= 4.1.0.25
- (no CPE)range: <= 4.1.0.25
- (no CPE)range: <= 4.1.0.25
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-m6vm-8g8v-xfjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5063ghsaADVISORY
- github.com/opencv/opencv-python/releases/tag/25ghsaWEB
- github.com/opencv/opencv/issues/16951ghsaWEB
- talosintelligence.com/vulnerability_reports/TALOS-2019-0852ghsax_refsource_MISCWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.