{"id":"CVE-2025-30305","details":"XMP Toolkit versions 2023.12 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","modified":"2026-04-12T14:42:33.158405Z","published":"2025-04-08T19:15:51.027Z","references":[{"type":"ADVISORY","url":"https://helpx.adobe.com/security/products/xmpcore/apsb25-34.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/adobe/xmp-toolkit-sdk","events":[{"introduced":"0"},{"fixed":"581c41213ddcee1fbc72cbb532531102a6617a25"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2025.03"}]}}],"versions":["v2020.1","v2021.07","v2021.08","v2021.10","v2022.02","v2022.06","v2023.07","v2023.12"],"database_specific":{"vanir_signatures":[{"target":{"file":"XMPFiles/source/FormatSupport/ReconcileTIFF.cpp"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["126636771179267164347849124104795878245","146311462694702441864604298611546141686","229694796421047086589626576460393590208","333049585819998709432590915625886727448","327344094990431339669481462780498307920","185860195157659454465178398241492620444","27437563912872136019565540546888073161"]},"signature_type":"Line","id":"CVE-2025-30305-0fdc4107","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FileHandlers/MPEG4_Handler.cpp","function":"MPEG4_MetaHandler::ParseTimecodeTrack"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"function_hash":"221465110125069646214356567680915949747","length":4953},"signature_type":"Function","id":"CVE-2025-30305-2278309c","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["187518944139985249420273412500574211097","15583002584226428710291704495432648427","205985667509089914986957604550275770335"]},"signature_type":"Line","id":"CVE-2025-30305-3b510a9b","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FileHandlers/MPEG4_Handler.cpp"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["125129654406807451222550634922981563100","9544207699385971335663201338877825513","311545938769563290809438059876576815640","131638305182527215685738375823343845434","296059875309506548659418954941307465628","317752850298652022554702432266603748686"]},"signature_type":"Line","id":"CVE-2025-30305-7b21aa7d","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FormatSupport/ReconcileTIFF.cpp","function":"ImportConversionTable"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"function_hash":"103952551366490071579651973526231604574","length":2190},"signature_type":"Function","id":"CVE-2025-30305-c5dfc716","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp","function":"TIFF_MemoryReader::GetTag"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"function_hash":"1182487954308599792182195617916173662","length":576},"signature_type":"Function","id":"CVE-2025-30305-e38fa175","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FormatSupport/ASF_Support.cpp","function":"ASF_Support::ReadHeaderObject"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"function_hash":"203380090588908134117353179680189655717","length":4395},"signature_type":"Function","id":"CVE-2025-30305-ede195aa","signature_version":"v1"},{"target":{"file":"XMPFiles/source/FormatSupport/ASF_Support.cpp"},"source":"https://github.com/adobe/xmp-toolkit-sdk/commit/581c41213ddcee1fbc72cbb532531102a6617a25","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["270222890788802721821863585226932284769","197411064336870393814664177552957050643","46555676254762346810097850001586770172","162603547392460467271159842841031210326","86296364783011747475092427852147418728","151231048613982874318140143371889519049","273233510198261307236627151114006245917","9058603271038788767604125618184217002"]},"signature_type":"Line","id":"CVE-2025-30305-f4450138","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30305.json","vanir_signatures_modified":"2026-04-12T14:42:33Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}