CVE-2025-2308
Published: 14 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-2308 is a heap-based buffer overflow vulnerability classified as critical in HDF5 version 1.14.6. It affects the H5Z__scaleoffset_decompress_one_byte function within the Scale-Offset Filter component. The issue stems from improper memory handling, mapped to CWEs-119, CWE-122, and CWE-787.
Exploitation requires local access (AV:L) with low privileges (PR:L) and low attack complexity (AC:L), needing no user interaction (UI:N) and resulting in unchanged scope (S:U). Attackers can achieve limited impacts on confidentiality, integrity, and availability (C:I:A:L/L/L), as scored at CVSS 5.3 under CVSS:3.1. A proof-of-concept exploit has been publicly disclosed.
Advisories from VulDB indicate the vendor plans to fix this in an upcoming release, with no patch available yet for version 1.14.6. Relevant details and the exploit POC are available at references including GitHub (madao123123/crash_report) and VulDB entries (ctiid.299721, id.299721, submit.514531). The vulnerability was published on 2025-03-14.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Data Processing Libraries
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- HDF5 is a widely used library for storing and processing large hierarchical datasets, commonly employed in AI/ML workflows for handling training data, model weights, and scientific data via interfaces like h5py. The vulnerability in the Scale-Offset Filter (data decompression) aligns with data processing in AI pipelines.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap-based buffer overflow in HDF5 library's Scale-Offset Filter enables local exploitation for arbitrary code execution, facilitating privilege escalation (T1068).