CVE-2025-2310: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-2310) was discovered in HDF5 version 1.14.6, specifically affecting the H5MM_strndup function within the Metadata Attribute Decoder component. The vulnerability was identified in March 2025, though its status is currently disputed. The vendor was contacted regarding this vulnerability but rejected it without providing detailed explanation (VulDB Submit).

The vulnerability is classified as a heap-based buffer overflow that occurs when the library attempts to read 5 bytes of data beyond the bounds of an allocated 320-byte heap memory region during the decoding of attribute metadata. The issue specifically manifests in the strndup function called by H5MM_strndup. The vulnerability has received a CVSS v4.0 score of 4.8 (Medium) with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 5.3 (Medium) (NVD CVE).

The heap-based buffer overflow vulnerability could potentially lead to memory corruption, application crashes, or in more severe cases, arbitrary code execution. The impact is somewhat mitigated by the fact that local access is required to exploit the vulnerability (GitHub POC).

Currently, there are no official patches or fixes available as the vendor has disputed the vulnerability. The vendor was contacted about this issue but rejected it without providing a detailed explanation. Users are advised to monitor for updates from the HDF Group regarding this vulnerability (NVD CVE).