CVE-2025-53074: 
NixOS vulnerability analysis and mitigation

Out-of-bounds Read vulnerability was discovered in Samsung Open Source rLottie version V0.2. The vulnerability, identified as CVE-2025-53074, was disclosed on June 29, 2025, and allows overflow buffers in the rLottie library (NVD, Wiz).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) with a CVSS v4.0 base score of 5.1 (Medium) and vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. The CVSS v3.1 assessment indicates a more severe base score of 9.1 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, suggesting the vulnerability is network accessible, requires low attack complexity, and needs user interaction (NVD, Wiz).

The vulnerability can lead to buffer overflow conditions in the rLottie library, potentially affecting applications that utilize this component for Lottie animations. The exploitation probability percentile (EPSS) is 16.2 with an exploitation probability of 0.1 (Wiz).

A fix has been implemented through a pull request that introduces several validation checks including type checking for CompLayer(), bounds checking for Gradient::populate(), frames vector empty check, and rejection of outliers (GitHub PR).