CVE-2025-47815: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in GNU PSPP version 2.0.1 and earlier, specifically in the libpspp-core.a component. The vulnerability affects the ZIP reader functionality, particularly in the inflateread function which is called indirectly from zipmemberreadall in zip-reader.c. The vulnerability was disclosed on May 10, 2025, and has been assigned CVE-2025-47815 with a CVSS v3.1 score of 4.5 (Medium) (NVD, Wiz).

The vulnerability exists in the inflateread function within zip-reader.c, which is called indirectly through zipmemberreadall. When processing ZIP files, the function attempts to write beyond the allocated buffer size, resulting in a heap buffer overflow. The vulnerability has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L, indicating local access required with high attack complexity (NVD).

The vulnerability can lead to a heap-based buffer overflow condition, potentially allowing attackers to cause memory corruption. This could result in program crashes or possible code execution in the context of the application. The impact is somewhat limited by the local access requirement and high attack complexity (Wiz).

The vulnerability affects GNU PSPP through version 2.0.1. Users should monitor for patches and updates from the GNU PSPP development team. As of the initial report, no official patch has been released (NVD).