Two significant security vulnerabilities have been identified in the GNU Image Manipulation Program (GIMP), a widely used open-source image editing software. These vulnerabilities, designated as CVE-2025-2760 and CVE-2025-2761, could enable remote attackers to execute arbitrary code on affected systems. Both issues were publicly disclosed on April 7, 2025, and impact GIMP versions prior to 3.0.0.
Vulnerability Details
The first vulnerability, CVE-2025-2760, pertains to an integer overflow in GIMP’s handling of X Window Dump (XWD) files. This flaw arises from inadequate validation of user-supplied data, leading to an integer overflow before buffer allocation. An attacker can exploit this by crafting a malicious XWD file that, when opened in GIMP, triggers the overflow, potentially allowing the execution of arbitrary code within the context of the application. This vulnerability has been assigned a CVSS v3.0 base score of 7.8, indicating high severity.
The second vulnerability, CVE-2025-2761, involves an out-of-bounds write error in GIMP’s processing of FLIC animation (FLI) files. Similar to the first, this issue stems from insufficient validation of input data, resulting in write operations beyond allocated memory buffers. An attacker can exploit this by creating a specially crafted FLI file that, when opened, causes GIMP to perform unauthorized memory writes, potentially leading to remote code execution. This vulnerability also carries a CVSS v3.0 base score of 7.8.
Discovery and Disclosure Timeline
Security researcher Michael Randrianantenaina discovered these vulnerabilities and reported them through the Zero Day Initiative (ZDI). The vulnerabilities were reported to the GIMP development team on March 9, 2025. Following the report, GIMP version 3.0.0 was released on March 16, 2025, addressing these issues. The public disclosure occurred on April 7, 2025, allowing users time to update their installations.
Impact and Exploitation
Both vulnerabilities require user interaction for exploitation, such as opening a malicious file or visiting a compromised web page. Successful exploitation could allow attackers to execute arbitrary code with the same privileges as the user running GIMP, potentially leading to unauthorized access, data manipulation, or further system compromise.
Mitigation Measures
To mitigate these vulnerabilities, users are strongly advised to upgrade to GIMP version 3.0.0 or later. The GIMP development team has implemented proper input validation mechanisms in this release to prevent such issues. Security vendors have also released patches for their distributions. For instance, SUSE issued a security update on May 13, 2025, addressing CVE-2025-2761 for SUSE Linux Enterprise Server environments. Amazon Linux has classified both vulnerabilities in their security advisory system, with Amazon Linux 2 GIMP Extra packages marked as Not Affected.
Recommendations
Users should immediately update to GIMP 3.0.0 or later to protect against these vulnerabilities. Organizations should also implement security awareness training to educate users about the risks associated with opening untrusted image files, as both vulnerabilities require user interaction for successful exploitation.
