CVE-2022-4988

Vulnerability

Overview

Alien::FreeImage is a Perl module that bundles the FreeImage library (version 3.17.0, released in 2017) along with other embedded image libraries. This version of FreeImage contains multiple known security vulnerabilities, including CVE-2015-0852 and CVE-2025-65803 [1][2]. Additionally, the module embeds a version of zlib that has its own security issues [4]. The root cause is the use of outdated, unpatched dependencies.

Exploitation

Conditions

Applications that use Alien::FreeImage to process image files are vulnerable. An attacker can exploit these flaws by supplying a specially crafted image file (e.g., TIFF, PNG, or other formats handled by FreeImage). No authentication is required if the application accepts user-provided images. The attack vector can be local or remote, depending on how the application ingests images.

Impact

Successful exploitation could allow an attacker to execute arbitrary code, cause a denial of service, or leak sensitive information. For instance, CVE-2015-0852 is a heap-based buffer overflow in FreeImage's TIFF parsing that can lead to code execution [1]. CVE-2025-65803 is another vulnerability in the same library [2]. The embedded zlib issues may further expand the attack surface [4].

Mitigation

As of the CVE publication, Alien::FreeImage versions up to and including 1.001 are affected. No official patch has been released for the Perl module. Users should consider upgrading to a newer version of Alien::FreeImage if available, or avoid using the module altogether. The FreeImage project has released newer versions, but the module has not been updated to incorporate them [3].