{"id":"CVE-2025-0634","details":"Use After Free vulnerability in Samsung Open Source rLottie allows Remote Code Inclusion.This issue affects rLottie: V0.2.","modified":"2026-04-12T19:53:17.313833Z","published":"2025-06-30T02:15:20.920Z","references":[{"type":"REPORT","url":"https://github.com/Samsung/rlottie/pull/571"},{"type":"FIX","url":"https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/samsung/rlottie","events":[{"introduced":"0"},{"last_affected":"bf3d272df3916a0c34575ac8286cb0fe672fd0d4"},{"fixed":"507ea027e47d3e1dc7ddbd9994621215eae7ebb9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.2"}]}}],"versions":["v0.1","v0.2"],"database_specific":{"vanir_signatures":[{"id":"CVE-2025-0634-6e4e5aff","digest":{"threshold":0.9,"line_hashes":["1680078744998775450546897286106159080","281274337787590333870186503369247391457","114646057763454309563718641122470238653","92920650848282273877990483716988176886","129316867285711219374874106045189563362","80341495789011435719919370952384867865","177735148216854572913049190379865782927"]},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Line","deprecated":false,"target":{"file":"src/vector/freetype/v_ft_raster.cpp"},"signature_version":"v1"},{"id":"CVE-2025-0634-6e8b58cd","digest":{"function_hash":"245072279660895681463165607939651442691","length":702},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Function","deprecated":false,"target":{"function":"model::Gradient::populate","file":"src/lottie/lottiemodel.cpp"},"signature_version":"v1"},{"id":"CVE-2025-0634-a31638c3","digest":{"function_hash":"204695745559461646160451190006875346027","length":945},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Function","deprecated":false,"target":{"function":"renderer::CompLayer::CompLayer","file":"src/lottie/lottieitem.cpp"},"signature_version":"v1"},{"id":"CVE-2025-0634-a807a540","digest":{"threshold":0.9,"line_hashes":["256330220647333664384347142197709906959","14636760670615604174999965533490805572","248068210384551633734720372787180215762","885945138917674059487286142663491422","214193567666159470565275389681439777208","208386303999048609830415019542952255799","268090434518123338066875699580349007689","239396402115646766267371972361776749701","189156972010994894469905246412134376139","269326389554893786478873603632266464029","73354721965288673988069985817752705605","130444555069623272652857241149583848651"]},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Line","deprecated":false,"target":{"file":"src/lottie/lottiemodel.cpp"},"signature_version":"v1"},{"id":"CVE-2025-0634-b36d82e2","digest":{"threshold":0.9,"line_hashes":["199838554978675382372929681099709638107","74482444880095085316538053223376869934","195102133323160246926983532004809375652","274659082006209275158349786699720102919","85575780588459111992727752531821228784","164802824739798189736408756487607379487","35872641386154027615479021697838145070","15629907309339067094108889384213062892","228909627023667530641214910598204896395","41859121103796102739840443019593883832","94795492286309594214737227792179697140","327776696422307682639028435009871451346","285211909265985432020507933275415669964","138963012739067062143722170987802020120","129208076145117739748049887198000770562","178912350714117990126103118658683901559","318741435884125395496477248372216941719","332897015697222535459662072273993433764","100945789949508853237470597088551868436"]},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Line","deprecated":false,"target":{"file":"src/lottie/lottiemodel.h"},"signature_version":"v1"},{"id":"CVE-2025-0634-bb55ad1c","digest":{"threshold":0.9,"line_hashes":["270902570440563698446662908798757922348","27143693503514119299763879232175851819","40210664307617790830819626050327568157","280889734117050877946506648243290921720"]},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Line","deprecated":false,"target":{"file":"src/lottie/lottieitem.cpp"},"signature_version":"v1"},{"id":"CVE-2025-0634-f605f55d","digest":{"function_hash":"194615939889822493272516550367963902398","length":2345},"source":"https://github.com/samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9","signature_type":"Function","deprecated":false,"target":{"function":"gray_render_line","file":"src/vector/freetype/v_ft_raster.cpp"},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T19:53:17Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0634.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}