CVE-2025-32024: 
Wolfi vulnerability analysis and mitigation

bep/imagemeta is a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The vulnerability (CVE-2025-32024) was discovered in versions prior to v0.10.0, where the EXIF data format allowed for defining excessively large data structures in relatively small payloads. This vulnerability was disclosed on April 8, 2025 (GitHub Advisory).

The vulnerability stems from the library's handling of EXIF data structures, where there were no limits on the size of tag data or the number of tags that could be processed. This could lead to excessive memory allocation from relatively small input files. The issue was addressed in version 0.10.0 by introducing two new security controls: LimitNumTags with a default value of 5000, and LimitTagSize with a default value of 10000 bytes (GitHub Commit). The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

If exploited, this vulnerability could be used to construct denial-of-service attacks against systems processing untrusted images. The attack could cause excessive memory consumption and potential system resource exhaustion, despite the input file being relatively small in size (GitHub Advisory).

Users should upgrade to version 0.10.0 or later, which implements the LimitNumTags and LimitTagSize security controls. These limits provide protection against excessive resource consumption from malicious EXIF data. The default values (5000 for LimitNumTags and 10000 for LimitTagSize) can be adjusted if needed (GitHub Commit).