VYPR
← All advisories
Medium severityNVD Advisory· Published Apr 8, 2025· Updated Apr 15, 2026

CVE-2025-32025

CVE-2025-32025

Description

bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before v0.11.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. v0.11.0 added a 10 MB upper limit.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/bep/imagemetaGo
< 0.11.00.11.0

Patches

1
ee0de9b029f4

Limit the byte buffer to 10 MB

https://github.com/bep/imagemetaBjørn Erik PedersenApr 7, 2025via ghsa
commit
3 files changed · +10 2
  • imagemeta.go+2 2 modified
    @@ -215,8 +215,8 @@ func Decode(opts Options) (err error) {
 		go func() {
 			defer func() {
 				err2 := errFromRecover(recover())
-				if err == nil {
-					err = err2
+				if err2 != nil {
+					errc <- err2
 				}
 			}()
 			errc <- dec.decode()
  • imagemeta_test.go+2 0 modified
    @@ -460,6 +460,7 @@ func TestLatLong(t *testing.T) {
 	c := qt.New(t)
 
 	tags, err := extractTags(t, "sunrise.jpg", imagemeta.EXIF)
+	c.Assert(err, qt.IsNil)
 
 	lat, long, err := tags.GetLatLong()
 	c.Assert(err, qt.IsNil)
@@ -478,6 +479,7 @@ func TestGetDateTime(t *testing.T) {
 	c := qt.New(t)
 
 	tags, err := extractTags(t, "sunrise.jpg", imagemeta.EXIF)
+	c.Assert(err, qt.IsNil)
 	d, err := tags.GetDateTime()
 	c.Assert(err, qt.IsNil)
 	c.Assert(d.Format("2006-01-02"), qt.Equals, "2017-10-27")
  • io.go+6 0 modified
    @@ -90,9 +90,15 @@ func (e *streamReader) otherByteOrder() binary.ByteOrder {
 	return binary.BigEndian
 }
 
+// 10 MB should be plenty for image metadata.
+const maxBufSize = 10 * 1024 * 1024
+
 // bufferedReader reads length bytes from the stream and returns a ReaderCloser.
 // It's important to call Close on the ReaderCloser when done.
 func (e *streamReader) bufferedReader(length int64) (readerCloser, error) {
+	if length > maxBufSize {
+		return nil, newInvalidFormatErrorf("length %d exceeds max %d", length, maxBufSize)
+	}
 	if length == 0 {
 		return struct {
 			io.ReadSeeker

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.