CVE-2025-7980: 
NixOS vulnerability analysis and mitigation

Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2025-7980) was discovered in Ashlar-Vellum Graphite version 13.0.48. The vulnerability was initially reported on November 8, 2024, and was publicly disclosed on July 22, 2025 (Zero Day Initiative).

The vulnerability exists within the parsing of VC6 files and results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.0 base score of 7.8 (High) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (Zero Day Initiative).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Graphite. The attacker can leverage this vulnerability to execute code in the context of the current process (Zero Day Initiative).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. The vendor was contacted multiple times regarding the vulnerability: initial report on November 8, 2024, followed by update requests on March 12, 2025, and May 2, 2025. Despite confirmation of the issue being in progress, no patch was released before the public disclosure (Zero Day Initiative).