CVE-2025-70103 libjxl CVE debrief

Who should care

Organizations running libjxl 0.12.0 for image processing, particularly those handling untrusted PBM image uploads or conversions. Developers integrating libjxl into applications with external image input surfaces. Security teams monitoring image processing libraries for memory safety vulnerabilities.

Technical summary

The vulnerability is a heap-based buffer overflow (CWE-122) in the JPEG XL reference library (libjxl) version 0.12.0. The flaw resides in the PNM/PBM image decoder implementation, specifically within jxl::extras::DecodeImagePNM in lib/extras/dec/pnm.cc. Crafted PBM image files can trigger the overflow during decoding operations. The vulnerability is network-exploitable with low attack complexity, requiring no privileges or user interaction, though impact is limited to low confidentiality, integrity, and availability effects per CVSS scoring. A fix has been merged via GitHub pull request 4338.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade libjxl to a version containing the fix from pull request 4338
• Review and restrict processing of untrusted PBM image files
• Monitor for updates to libjxl security advisories
• Apply principle of least privilege for image processing services

Evidence notes

The vulnerability description and technical details are sourced from the official CVE record and NVD entry. The affected function (jxl::extras::DecodeImagePNM) and file location (lib/extras/dec/pnm.cc) are explicitly documented in the CVE description. CVSS vector and score are drawn from NVD data. The vendor is identified as the libjxl project based on repository references, though the vendor field in source data is marked as requiring review.

Official resources