CVE-2025-21135
Published: 14 January 2025
Description
Animate versions 24.0.6, 23.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Security Summary
CVE-2025-21135 is an Integer Underflow (Wrap or Wraparound) vulnerability, classified under CWE-191, affecting Adobe Animate versions 24.0.6, 23.0.9, and earlier. This flaw could allow arbitrary code execution in the context of the current user. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity but requiring local access and user interaction.
Exploitation requires an attacker to trick a victim into opening a malicious file within the affected Adobe Animate software. No privileges are needed (PR:N), and the attack has an unchanged scope (S:U). Successful exploitation grants the attacker high levels of confidentiality, integrity, and availability impact, enabling arbitrary code execution as the logged-in user.
Adobe has published security bulletin APSB25-05 at https://helpx.adobe.com/security/products/animate/apsb25-05.html, which provides details on the vulnerability and available patches for mitigation. Security practitioners should ensure affected systems are updated to patched versions and advise users to avoid opening untrusted files in Adobe Animate.
Details
- CWE(s)