QwikSec

Security Database

CVE

CWE

Training

CVE-2025-53367

Published: Jul 3, 2025

Modified: Nov 4, 2025

PUBLISHED

Description

DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29.

Vendor	Product	Versions
DjvuNet	DjVuLibre	affected `< 3.5.29`

Weaknesses (CWE)

References

https://securitylab.github.com/advisories/GHSL-2025-055_DjVuLibre/

x_refsource_CONFIRM

https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre

x_refsource_MISC

https://github.com/github/securitylab/tree/main/SecurityExploits/DjVuLibre/MMRDecoder_scanruns_CVE-2025-53367

x_refsource_MISC

https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da

x_refsource_MISC

https://www.openwall.com/lists/oss-security/2025/07/03/1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.