CVE-2025-54874: 
NixOS vulnerability analysis and mitigation

CVE-2025-54874 affects OpenJPEG, an open-source JPEG 2000 codec. The vulnerability was discovered in OpenJPEG versions 2.5.1 through 2.5.3, where a call to opjjp2readheader may lead to an out-of-bounds heap memory write when the data stream pstream is too short and p_image is not initialized. The issue was disclosed on August 5, 2025 (NVD).

The vulnerability stems from a failure to check the return value of opjj2kreadheader() before processing its output arguments in opjjp2readheader(). When the caller has not set the pimage pointer to NULL before calling opjreadheader(), and if opjj2kreadheaderprocedure() fails while obtaining the rest of the marker segment due to a short data stream, opjj2kreadheader() never initializes p_image, leaving it uninitialized. The vulnerability has been assigned a CVSS v4.0 base score of 6.6 (Medium) with vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability can lead to heap buffer write issues when processing JPEG 2000 images. If exploited, it could potentially allow an attacker to write to arbitrary memory locations, which may result in program crashes or potential code execution (GitHub PR).

The vulnerability has been fixed in the OpenJPEG codebase through a patch that adds a check for the return value of opjj2kreadheader() before using the output argument pimage. Red Hat has released security updates for affected versions in Red Hat Enterprise Linux 10 (Red Hat). Users are advised to upgrade to the patched versions of the software.