CVE-2025-21158

High

Published: 11 February 2025

Published

11 February 2025

Modified

03 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0008 22.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

InDesign Desktop versions ID20.0, ID19.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Summary

CVE-2025-21158 is an Integer Underflow (Wrap or Wraparound) vulnerability, classified under CWE-191, affecting Adobe InDesign Desktop versions ID20.0, ID19.5.1, and earlier. This flaw could lead to arbitrary code execution in the context of the current user. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-02-11.

Exploitation requires local access and user interaction, specifically tricking a victim into opening a malicious file with a vulnerable InDesign installation. No special privileges are needed (PR:N), and the attack complexity is low (AC:L). Successful exploitation allows an attacker to achieve high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) within the user's context, without changing scope.

Adobe's security bulletin APSB25-01, available at https://helpx.adobe.com/security/products/indesign/apsb25-01.html, provides details on mitigation and available patches for affected InDesign versions.

Details

CWE(s): CWE-191

Affected Products

adobe

indesign

20.0 · ≤ 19.5.2

References

https://helpx.adobe.com/security/products/indesign/apsb25-01.html
Vendor Advisory · psirt@adobe.com