Medium severityNVD Advisory· Published Apr 8, 2025· Updated Apr 15, 2026

CVE-2025-32024

Description

bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before v0.10.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. v0.10.0 added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/bep/imagemetaGo	< 0.10.0	0.10.0

Patches

4fd89616d8bf

Add LimitNumTags and LimitTagSize

https://github.com/bep/imagemetaBjørn Erik PedersenMar 13, 2025via ghsa

commit

6 files changed · +49 −3

gen/testdata_exiftool/images/largeexif.png.json+14 −0 added

@@ -0,0 +1,14 @@
+[{
+  "SourceFile": "../testdata/images/largeexif.png",
+  "ExifTool": {
+    "ExifToolVersion": 12.76,
+    "Warning": "Processing TIFF-like data after unknown 16-byte header"
+  },
+  "File": {
+    "FileName": "largeexif.png",
+    "Directory": "../testdata/images",
+    "FileSize": 1310710,
+    "FilePermissions": 100644,
+    "ExifByteOrder": "MM"
+  }
+}]

imagemeta.go+32 −0 modified

@@ -113,6 +113,28 @@ func Decode(opts Options) (err error) {
 		}
 	}
 
+	const (
+		defaultLimitNumTags = 5000
+		defaultLimitTagSize = 10000
+	)
+
+	if opts.LimitNumTags == 0 {
+		opts.LimitNumTags = defaultLimitNumTags
+	}
+	if opts.LimitTagSize == 0 {
+		opts.LimitTagSize = defaultLimitTagSize
+	}
+
+	var tagCount uint32
+	shouldHandleTag := opts.ShouldHandleTag
+	opts.ShouldHandleTag = func(ti TagInfo) bool {
+		tagCount++
+		if tagCount > opts.LimitNumTags {
+			panic(ErrStopWalking)
+		}
+		return shouldHandleTag(ti)
+	}
+
 	if opts.HandleTag == nil {
 		opts.HandleTag = func(TagInfo) error { return nil }
 	}
@@ -246,6 +268,16 @@ type Options struct {
 	// Mostly useful for testing.
 	// If set to 0, the decoder will not time out.
 	Timeout time.Duration
+
+	// LimitNumTags is the maximum number of tags to read.
+	// Default value is 5000.
+	LimitNumTags uint32
+
+	// LimitTagSize is the maximum size in bytes of a tag value to read.
+	// Tag values larger than this will be skipped without notice.
+	// Note that this limit is not relevant for the XMP source.
+	// Default value is 10000.
+	LimitTagSize uint16
 }
 
 // TagInfo contains information about a tag.

imagemeta_test.go+1 −1 modified

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"maps"
 	"math"
 	"math/rand"
 	"os"
@@ -23,7 +24,6 @@ import (
 
 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
-	"maps"
 )
 
 func TestDecodeAllImageFormats(t *testing.T) {

metadecoder_exif.go+1 −1 modified

@@ -383,7 +383,7 @@ func (e *metaDecoderEXIF) decodeTag(namespace string) error {
 	}
 
 	// Below is EXIF
-	if !e.opts.Sources.Has(EXIF) {
+	if !e.opts.Sources.Has(EXIF) || valLen > uint32(e.opts.LimitTagSize) {
 		e.skip(4)
 		return nil
 	}

metadecoder_iptc.go+1 −1 modified

@@ -273,7 +273,7 @@ func (e *metaDecoderIPTC) decodeRecord(stringSlices map[TagInfo][]string) error
 		Namespace: recordDef.RecordName,
 	}
 
-	if !e.opts.ShouldHandleTag(ti) {
+	if recordSize > uint16(e.opts.LimitTagSize) || !e.opts.ShouldHandleTag(ti) {
 		e.skip(int64(recordSize))
 		return nil
 	}

testdata/images/largeexif.png+0 −0 added

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q7rw-w4cq-2j6wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-32024ghsaADVISORY
github.com/bep/imagemeta/commit/4fd89616d8bf7f9bb892360d3fb19080ec2b4602nvdWEB
github.com/bep/imagemeta/security/advisories/GHSA-q7rw-w4cq-2j6wnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000