CVE-2025-54489 (GCVE-0-2025-54489)
Vulnerability from cvelistv5
Published
2025-08-25 13:53
Modified
2025-08-25 19:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-121 - Stack-based Buffer Overflow
Summary
A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8970 of biosig.c on the current master branch (35a819fa), when the Tag is 63: else if (tag==63) { uint8_t tag2=255, len2=255; count = 0; while ((count<len) && !(FlagInfiniteLength && len2==0 && tag2==0)){ curPos += ifread(&tag2,1,1,hdr); curPos += ifread(&len2,1,1,hdr); if (VERBOSE_LEVEL==9) fprintf(stdout,"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i curPos=%i %li count=%4i\n",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count); if (FlagInfiniteLength && len2==0 && tag2==0) break; count += (2+len2); curPos += ifread(&buf,1,len2,hdr); Here, the number of bytes read is not the Data Length decoded from the current frame in the file (`len`) but rather is a new length contained in a single octet read from the same input file (`len2`). Despite this, a stack-based buffer overflow condition can still occur, as the destination buffer is still `buf`, which has a size of only 128 bytes, while `len2` can be as large as 255.
References
talos-cna@cisco.comhttps://talosintelligence.com/vulnerability_reports/TALOS-2025-2234Exploit, Third Party Advisory
Impacted products
Vendor Product Version
The Biosig Project libbiosig Version: 3.9.0
Version: Master Branch (35a819fa)
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54489",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-25T19:03:04.171729Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-25T19:03:12.538Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libbiosig",
          "vendor": "The Biosig Project",
          "versions": [
            {
              "status": "affected",
              "version": "3.9.0"
            },
            {
              "status": "affected",
              "version": "Master Branch (35a819fa)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Discovered by Mark Bereza and Lilith \u0026gt;_\u0026gt; of Cisco Talos."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8970 of biosig.c on the current master branch (35a819fa), when the Tag is 63:\r\n\r\n                else if (tag==63) {\r\n                    uint8_t tag2=255, len2=255;\r\n\r\n                    count = 0;\r\n                    while ((count\u003clen) \u0026\u0026 !(FlagInfiniteLength \u0026\u0026 len2==0 \u0026\u0026 tag2==0)){\r\n                        curPos += ifread(\u0026tag2,1,1,hdr);\r\n                        curPos += ifread(\u0026len2,1,1,hdr);\r\n                        if (VERBOSE_LEVEL==9)\r\n                            fprintf(stdout,\"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i curPos=%i %li count=%4i\\n\",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count);\r\n\r\n                        if (FlagInfiniteLength \u0026\u0026 len2==0 \u0026\u0026 tag2==0) break;\r\n\r\n                        count  += (2+len2);\r\n                        curPos += ifread(\u0026buf,1,len2,hdr);\r\n\r\nHere, the number of bytes read is not the Data Length decoded from the current frame in the file (`len`) but rather is a new length contained in a single octet read from the same input file (`len2`). Despite this, a stack-based buffer overflow condition can still occur, as the destination buffer is still `buf`, which has a size of only 128 bytes, while `len2` can be as large as 255."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-25T13:53:46.340Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234",
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2025-54489",
    "datePublished": "2025-08-25T13:53:46.340Z",
    "dateReserved": "2025-07-23T14:45:55.835Z",
    "dateUpdated": "2025-08-25T19:03:12.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54489\",\"sourceIdentifier\":\"talos-cna@cisco.com\",\"published\":\"2025-08-25T14:15:35.233\",\"lastModified\":\"2025-09-02T16:42:26.920\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8970 of biosig.c on the current master branch (35a819fa), when the Tag is 63:\\r\\n\\r\\n                else if (tag==63) {\\r\\n                    uint8_t tag2=255, len2=255;\\r\\n\\r\\n                    count = 0;\\r\\n                    while ((count\u003clen) \u0026\u0026 !(FlagInfiniteLength \u0026\u0026 len2==0 \u0026\u0026 tag2==0)){\\r\\n                        curPos += ifread(\u0026tag2,1,1,hdr);\\r\\n                        curPos += ifread(\u0026len2,1,1,hdr);\\r\\n                        if (VERBOSE_LEVEL==9)\\r\\n                            fprintf(stdout,\\\"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i curPos=%i %li count=%4i\\\\n\\\",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count);\\r\\n\\r\\n                        if (FlagInfiniteLength \u0026\u0026 len2==0 \u0026\u0026 tag2==0) break;\\r\\n\\r\\n                        count  += (2+len2);\\r\\n                        curPos += ifread(\u0026buf,1,len2,hdr);\\r\\n\\r\\nHere, the number of bytes read is not the Data Length decoded from the current frame in the file (`len`) but rather is a new length contained in a single octet read from the same input file (`len2`). Despite this, a stack-based buffer overflow condition can still occur, as the destination buffer is still `buf`, which has a size of only 128 bytes, while `len2` can be as large as 255.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de desbordamiento de b\u00fafer en la pila en la funcionalidad de an\u00e1lisis MFER de The Biosig Project libbiosig 3.9.0 y Master Branch (35a819fa). Un archivo MFER especialmente manipulado puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Un atacante puede proporcionar un archivo malicioso para activar esta vulnerabilidad. Esta vulnerabilidad se manifiesta en la l\u00ednea 8970 de biosig.c en la rama maestra actual (35a819fa), cuando la etiqueta es 63: else if (tag==63) { uint8_t tag2=255, len2=255; count = 0; while ((count\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"talos-cna@cisco.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"talos-cna@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:libbiosig_project:libbiosig:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.9.1\",\"matchCriteriaId\":\"4893D615-FD95-4393-A5B0-E1BE19F180A6\"}]}]}],\"references\":[{\"url\":\"https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234\",\"source\":\"talos-cna@cisco.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54489\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-25T19:03:04.171729Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-25T19:03:08.278Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Discovered by Mark Bereza and Lilith \u0026gt;_\u0026gt; of Cisco Talos.\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"The Biosig Project\", \"product\": \"libbiosig\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.9.0\"}, {\"status\": \"affected\", \"version\": \"Master Branch (35a819fa)\"}]}], \"references\": [{\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234\", \"name\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8970 of biosig.c on the current master branch (35a819fa), when the Tag is 63:\\r\\n\\r\\n                else if (tag==63) {\\r\\n                    uint8_t tag2=255, len2=255;\\r\\n\\r\\n                    count = 0;\\r\\n                    while ((count\u003clen) \u0026\u0026 !(FlagInfiniteLength \u0026\u0026 len2==0 \u0026\u0026 tag2==0)){\\r\\n                        curPos += ifread(\u0026tag2,1,1,hdr);\\r\\n                        curPos += ifread(\u0026len2,1,1,hdr);\\r\\n                        if (VERBOSE_LEVEL==9)\\r\\n                            fprintf(stdout,\\\"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i curPos=%i %li count=%4i\\\\n\\\",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count);\\r\\n\\r\\n                        if (FlagInfiniteLength \u0026\u0026 len2==0 \u0026\u0026 tag2==0) break;\\r\\n\\r\\n                        count  += (2+len2);\\r\\n                        curPos += ifread(\u0026buf,1,len2,hdr);\\r\\n\\r\\nHere, the number of bytes read is not the Data Length decoded from the current frame in the file (`len`) but rather is a new length contained in a single octet read from the same input file (`len2`). Despite this, a stack-based buffer overflow condition can still occur, as the destination buffer is still `buf`, which has a size of only 128 bytes, while `len2` can be as large as 255.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b\", \"shortName\": \"talos\", \"dateUpdated\": \"2025-08-25T13:53:46.340Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54489\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-25T19:03:12.538Z\", \"dateReserved\": \"2025-07-23T14:45:55.835Z\", \"assignerOrgId\": \"b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b\", \"datePublished\": \"2025-08-25T13:53:46.340Z\", \"assignerShortName\": \"talos\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.