Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-66909

Good to know:

icon

Date: December 19, 2025

Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java loads images using OpenCV's imread() function without validating dimensions or pixel count before decompression. An attacker can upload a specially crafted compressed image file (e.g., PNG) that is small when compressed but expands to gigabytes of memory when loaded. This causes immediate memory exhaustion, OutOfMemoryError, and service crash. No authentication is required if the OCR service is publicly accessible. Multiple requests can completely deny service availability.

Severity Score

Related Resources (5)

https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66909_report.md
https://github.com/turms-im/turms
https://nvd.nist.gov/vuln/detail/CVE-2025-66909
https://github.com/turms-im/turms/blob/develop/turms-ai-serving/src/main/java/ai/djl/opencv/ExtendedOpenCVImage.java#L37
https://www.mend.io/vulnerability-database/CVE-2025-66909

Severity Score

Weakness Type (CWE)

Improper Handling of Highly Compressed Data (Data Amplification)

CWE-409

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us