CVE-2025-48071: 
Python vulnerability analysis and mitigation

OpenEXR, which provides the specification and reference implementation of the EXR file format for the motion picture industry, was found to contain a heap-based buffer overflow vulnerability (CVE-2025-48071). The vulnerability affects versions 3.3.0 through 3.3.2 and was discovered in July 2025. The issue occurs during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header (GitHub Advisory, NVD).

The vulnerability exists in the OpenEXRCore code, specifically in the undozipimpl function within src/lib/OpenEXRCore/internalzip.c. The function fails to validate whether the actual decompressed size (actualoutbytes) exceeds the allocated buffer size (uncompressedsize). When parsing STORAGEDEEPSCANLINE chunks, the code extracts chunk information including the unpackedsize, which is later used for buffer allocation. The vulnerability can be triggered by setting the unpackedsize in the chunk header smaller than the actual chunk decompressed data, leading to a buffer overflow in the internalzipreconstruct_bytes function. The vulnerability has been assigned a CVSS 4.0 Base Score of 8.4 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

An attacker can exploit this vulnerability by providing a maliciously crafted file to any program that uses the OpenEXR libraries. This could allow the attacker to write an arbitrary amount of bytes in the heap, potentially leading to code execution in the affected process (GitHub Advisory).

The vulnerability has been fixed in OpenEXR version 3.3.3. The fix involves adding a check in the undozipimpl function to verify that actualoutbytes does not exceed uncompressed_size (GitHub Commit, GitHub Release).