CVE-2025-32025: 
Wolfi vulnerability analysis and mitigation

CVE-2025-32025 affects bep/imagemeta, a Go library for reading EXIF, IPTC and XMP image meta data from JPEG, TIFF, PNG, and WebP files. The vulnerability was discovered and disclosed on April 8, 2025. The issue affects versions prior to v0.11.0, where the buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type (GitHub Advisory).

The vulnerability stems from insufficient bounds checking in the buffer allocation for PNG and WebP image metadata parsing. The buffer size was only limited by the input data type, which could result in potentially large memory allocations disproportionate to typical image metadata needs. The issue has been assigned a CVSS v4.0 score of 6.9 (MEDIUM) with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

If exploited, this vulnerability could be used to construct denial-of-service attacks against systems processing untrusted images. The unrestricted buffer allocation could lead to excessive memory consumption, potentially impacting system stability and availability (GitHub Advisory).

The vulnerability has been fixed in version v0.11.0 of bep/imagemeta, which implements a 10 MB upper limit on the buffer size for metadata parsing. Users are advised to upgrade to this version or later to mitigate the vulnerability (GitHub Commit).