CVE-2025-2308: 
NixOS vulnerability analysis and mitigation

A critical vulnerability was discovered in HDF5 version 1.14.6, identified as CVE-2025-2308. The vulnerability affects the H5Z_scaleoffsetdecompressonebyte function within the Scale-Offset Filter component. This heap-based buffer overflow vulnerability was disclosed on March 14, 2025, and its current status is marked as disputed (NVD).

The vulnerability occurs during the decompression of data using the Scale-Offset filter, where the library attempts to read 1 byte of data beyond the bounds of an allocated 26-byte heap memory region. The vulnerability has received a CVSS v4.0 score of 4.8 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The heap-based buffer overflow vulnerability can lead to potential memory corruption, which could result in program crashes or possible code execution. The vulnerability requires local access to exploit and has low impact scores across confidentiality, integrity, and availability (NVD).

The real existence of this vulnerability is currently disputed. The vendor was contacted about a batch of vulnerabilities and responded with "reject" without further explanation. No official patches or mitigations have been released at this time (NVD).