CVE-2025-21123

High

Published: 11 February 2025

Published

11 February 2025

Modified

03 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

InDesign Desktop versions ID20.0, ID19.5.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21123 is a heap-based buffer overflow vulnerability, associated with CWE-122 and CWE-787, affecting Adobe InDesign Desktop versions 20.0, 19.5.1, and earlier. Published on 2025-02-11, it enables arbitrary code execution in the context of the current user when processing malicious input.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating exploitation requires local access with low complexity and no privileges, but user interaction is necessary as the victim must open a malicious file. Attackers who can deliver such a file to a target user can achieve arbitrary code execution, compromising confidentiality, integrity, and availability at a high level within the user's context.

Adobe Security Bulletin APSB25-01 details mitigations and patches for this issue, available at https://helpx.adobe.com/security/products/indesign/apsb25-01.html.

Details

CWE(s): CWE-122CWE-787

Affected Products

adobe

indesign

20.0 · ≤ 19.5.2

References

https://helpx.adobe.com/security/products/indesign/apsb25-01.html
Vendor Advisory · psirt@adobe.com