CVE-2025-2337
Published: 16 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-2337 is a heap-based buffer overflow vulnerability classified as critical in tbeu/matio version 1.5.28. The issue affects the Mat_VarPrint function in the src/mat.c file, where manipulation triggers the overflow. Published on 2025-03-16, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).
The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) to trigger. Successful exploitation can lead to limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing partial data exposure, modification, or denial of service via the heap overflow.
Advisories and discussions are detailed in GitHub issue https://github.com/tbeu/matio/issues/267 (including comment https://github.com/tbeu/matio/issues/267#issue-2883856488) and VulDB entries at https://vuldb.com/?ctiid.299801, https://vuldb.com/?id.299801, and https://vuldb.com/?submit.510779.
The exploit has been disclosed publicly and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap-based buffer overflow in matio library's Mat_VarPrint function exploitable remotely via malicious MAT files with user interaction, enabling arbitrary code execution in client applications via Exploitation for Client Execution.