How the CVE Works
The vulnerability in `bep/imagemeta` (v0.9.0 and earlier) stems from insufficient validation of EXIF metadata in image files. Attackers can craft malicious images with excessively large EXIF structures, exploiting the lack of size and tag limits. When processed, these images force the library to allocate excessive memory, leading to denial-of-service (DoS). The issue arises due to recursive parsing of nested EXIF tags without constraints. Patched versions (v0.10.0+) enforce `LimitNumTags` (default: 5000) and `LimitTagSize` (default: 10000) to mitigate this.
DailyCVE Form
Platform: `bep/imagemeta`
Version: `<0.10.0`
Vulnerability: `EXIF DoS`
Severity: `Critical`
Date: `2025-04-09`
What Undercode Say:
Exploitation:
Craft malicious EXIF image using exiftool
exiftool -XMPToolkit="$(python3 -c 'print("A" 1000000)')" exploit.jpg
Detection:
// Check for vulnerable versions in Go projects go list -m all | grep "github.com/bep/imagemeta"
Mitigation:
// Update to v0.10.0+ and enforce limits
metaOpts := imagemeta.Options{
LimitNumTags: 5000,
LimitTagSize: 10000,
}
Analytics:
- Attack Vector: Local/Remote (image upload)
- Complexity: Low (no auth required)
- CVSS: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Protection:
Block large EXIF in web apps (nginx) client_max_body_size 1M;
References:
References:
Reported By: https://github.com/advisories/GHSA-q7rw-w4cq-2j6w
Extra Source Hub:
Undercode
