Heap-based Buffer Overflow Affecting blosc/c-blosc2 package, versions [,2.17.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.03% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-BLOSCCBLOSC2-9901429
  • published29 Apr 2025
  • disclosed4 Apr 2025
  • creditlmarch2

Introduced: 4 Apr 2025

NewCVE-2025-29476  (opens in a new tab)
CWE-122  (opens in a new tab)

How to fix?

Upgrade blosc/c-blosc2 to version 2.17.1 or higher.

Overview

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the sw32_() function in blosc-private.h. An attacker can execute arbitrary code or cause a crash by providing specially crafted input to trigger the overflow.

CVSS Base Scores

version 4.0
version 3.1