JLSEC-2025-330

Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-330.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-330.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2025-330
Upstream
Published
2025-12-01T22:31:38.231Z
Modified
2026-07-18T18:24:09.679654581Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVSS Calculator
Summary
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portabl...
Details

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in pngimagereadcomposite when processing palette images with PNGFLAGOPTIMIZEALPHA enabled. The palette compositing code in pnginitread_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Database specific
{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2025-11-25T00:15:47.460Z",
            "modified": "2026-06-17T09:55:06.230Z",
            "imported": "2026-07-17T21:00:58.120Z",
            "id": "CVE-2025-64720",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-64720",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64720",
            "database_specific": {
                "status": "Analyzed"
            }
        }
    ]
}
References

Affected packages

Julia / libpng_jll

Package

Name
libpng_jll
Purl
pkg:julia/libpng_jll?uuid=b53b4c65-9356-5827-b1ea-8c7a1a84506f

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.51+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-330.json"