CVE-2025-3409

A vulnerability classified as critical has been found in Nothings stb up to f056911. This affects the function stb_include_string. The manipulation of the argument path_to_includes leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 6.3 MEDIUM
CVSS v2.0 7.5 HIGH

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://vuldb.com/?ctiid.303687	Permissions Required VDB Entry
https://vuldb.com/?id.303687	Third Party Advisory VDB Entry
https://vuldb.com/?submit.544231	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:nothings:stb_image.h:*:*:*:*:*:*:*:*

History

16 Oct 2025, 15:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nothings:stb_image.h::::::::
First Time		Nothings stb Image.h Nothings
References	~~() https://vuldb.com/?ctiid.303687 -~~	() https://vuldb.com/?ctiid.303687 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.303687 -~~	() https://vuldb.com/?id.303687 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.544231 -~~	() https://vuldb.com/?submit.544231 - Third Party Advisory, VDB Entry

08 Apr 2025, 18:13

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad crítica en Nothings stb hasta f056911. Esta afecta a la función stb_include_string. La manipulación del argumento path_to_includes provoca un desbordamiento del búfer en la pila. Es posible iniciar el ataque de forma remota. Este producto no utiliza control de versiones. Por ello, no se dispone de información sobre las versiones afectadas y no afectadas. Se contactó al proveedor con antelación para informarle sobre esta divulgación, pero no respondió.

08 Apr 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 05:15

Updated : 2025-10-16 15:08

NVD link : CVE-2025-3409

Mitre link : CVE-2025-3409

CVE.ORG link : CVE-2025-3409

JSON object : View

Products Affected

nothings

stb_image.h

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-121

Stack-based Buffer Overflow

6.3 /10