Impact
A heap memory leak occurs when the Imager::File::JPEG module parses JPEG images that contain multiple APP13 markers. With each APP13 marker the code allocates a new buffer but never frees the previous one, so the first N-1 payloads remain in memory. Repeated processing of such crafted images in a long‑lived process gradually exhausts available memory, culminating in application crash or refusal to service requests. The underlying weakness is a classic memory leak (CWE‑401).
Affected Systems
The flaw affects Perl applications that use the TONYC Imager::File::JPEG module, specifically versions earlier than 1.003, and the bundled Imager distribution before 1.032. Any service that uploads, processes, or thumbnails JPEG images—such as web upload handlers, content management systems, or image‑processing microservices—is potentially impacted.
Risk and Exploitability
With a CVSS score of 7.5, the vulnerability is considered high severity. The EPSS score of < 1% indicates a very low exploitation probability, though not zero. The nature of the flaw still allows a remote attacker to trigger the memory leak by submitting JPEG files containing a large number of APP13 markers to a vulnerable service. The likely attack vector is remote file upload, and the prerequisite is that the service uses the affected module and does not filter input. The vulnerability is not listed in the CISA KEV catalog, but the ability to exhaust memory in continuously running processes makes it a significant risk.
OpenCVE Enrichment