CVE-2024-25112: 
Python vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2024-25112) was discovered in Exiv2 version v0.28.1. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The vulnerability affects versions 0.28.0 and 0.28.1, with versions before v0.28 not being affected. The issue was discovered through OSS-Fuzz and has been fixed in version v0.28.2 (GitHub Advisory).

The vulnerability stems from an unbounded recursion in the QuickTimeVideo::multipleEntriesDecoder function, which was introduced in v0.28.0. The CVSS v3.1 score is 5.0 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H according to NVD, while GitHub rates it at 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-674 (Uncontrolled Recursion) and CWE-400 (Uncontrolled Resource Consumption) (NVD).

When exploited, the vulnerability can cause Exiv2 to crash by exhausting the stack when reading metadata from a crafted video file. This results in a denial-of-service condition affecting the application's availability (GitHub Advisory).

Users are advised to upgrade to Exiv2 version v0.28.2 which contains the fix for this vulnerability. There are no known workarounds for affected versions (GitHub Advisory).