CVE-2025-4638: 
rsync vulnerability analysis and mitigation

A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue was discovered and disclosed on May 14, 2025, and is tracked as CVE-2025-4638. The vulnerability allows context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic. The issue specifically affects PCL versions older than 1.14.0 or installations where users explicitly set WITHSYSTEMZLIB=FALSE (NVD, Wiz).

The vulnerability stems from improper pointer arithmetic operations in the inftrees.c component of the bundled zlib library within PCL. It has received a CVSS v4.0 Base Score of 9.2 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:L/SA:H/AU:Y/R:U/V:D/RE:M/U:Amber. The vulnerability is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer (NVD, Snyk).

The vulnerability can lead to undefined behavior through improper pointer arithmetic, potentially resulting in memory corruption. According to the CVSS metrics, the vulnerability can cause high impacts on integrity and availability, with potential system-wide effects. The vulnerability presents a critical risk with high integrity and availability impact scores (Wiz, Snyk).

Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITHSYSTEMZLIB=FALSE. To mitigate this vulnerability, users should either upgrade to PCL version 1.14.0 or later or ensure they are using the system zlib installation. For systems where upgrading is not immediately possible, users should avoid setting WITHSYSTEMZLIB=FALSE (GitHub PCL, NVD).