Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Libvips Subscribe
Filtered by product Libvips
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-59933 1 Libvips 1 Libvips 2025-10-18 N/A 7.8 HIGH
libvips is a demand-driven, horizontally threaded image processing library. For versions 8.17.1 and below, when libvips is compiled with support for PDF input via poppler, the pdfload operation is affected by a buffer read overflow when parsing the header of a crafted PDF with a page that defines a width but not a height. Those using libvips compiled without support for PDF input are unaffected as well as thosewith support for PDF input via PDFium. This issue is fixed in version 8.17.2. A workaround for those affected is to block the VipsForeignLoadPdf operation via vips_operation_block_set, which is available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will block all untrusted loaders including PDF input via poppler.
CVE-2025-29769 2 Debian, Libvips 2 Debian Linux, Libvips 2025-10-09 N/A 5.5 MEDIUM
libvips is a demand-driven, horizontally threaded image processing library. The heifsave operation could incorrectly determine the presence of an alpha channel in an input when it was not possible to determine the colour interpretation, known internally within libvips as "multiband". There aren't many ways to create a "multiband" input, but it is possible with a well-crafted TIFF image. If a "multiband" TIFF input image had 4 channels and HEIF-based output was requested, this led to libvips creating a 3 channel HEIF image without an alpha channel but then attempting to write 4 channels of data. This caused a heap buffer overflow, which could crash the process. This vulnerability is fixed in 8.16.1.
CVE-2023-40032 2 Fedoraproject, Libvips 2 Fedora, Libvips 2025-04-21 N/A 5.5 MEDIUM
libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.