CVE-2025-13601: Critical Heap Overflow Plagues GLib URI Escaping

Overview

A high-severity heap-based buffer overflow vulnerability, identified as CVE-2025-13601, has been discovered in the GLib library. This flaw resides within the g_escape_uri_string() function and can lead to arbitrary code execution or denial-of-service attacks.

Technical Details

The vulnerability stems from an incorrect calculation of the required buffer size within the g_escape_uri_string() function. This function is used to escape characters in a URI string that are not allowed. Specifically, if the input string contains a very large number of characters that require escaping (e.g., characters outside the allowed set), the calculation of the final escaped string’s length can overflow. This overflow results in a smaller-than-required buffer being allocated. When the escaped string is written to this undersized buffer, it leads to a heap-based buffer overflow, potentially overwriting adjacent memory regions.

The root cause is in the multiplication used to determine the necessary output buffer size. A large number of characters requiring escaping (e.g., each needing a %XX encoding) can cause the multiplication to exceed the maximum value of the integer type used for calculation, wrapping around to a smaller value. The allocation uses this smaller value, and the escaping writes past the end of the allocated memory.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 7.7, indicating a high severity. The CVSS vector is likely similar to: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H.

• Attack Vector (AV): Network (N) – The vulnerability is exploitable over a network.
• Attack Complexity (AC): Low (L) – Exploitation requires little specialized knowledge.
• Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
• User Interaction (UI): None (N) – No user interaction is required to exploit the vulnerability.
• Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
• Confidentiality Impact (C): Low (L) – Limited impact on confidentiality.
• Integrity Impact (I): Low (L) – Limited impact on integrity.
• Availability Impact (A): High (H) – Significant impact on availability (e.g., denial of service).

Possible Impact

Successful exploitation of CVE-2025-13601 can have significant consequences:

• Denial of Service (DoS): The buffer overflow can cause the application using GLib to crash, leading to a denial of service.
• Arbitrary Code Execution: In more complex scenarios, attackers might be able to leverage the heap overflow to execute arbitrary code on the affected system, potentially gaining complete control.
• Data Corruption: The overflow could overwrite adjacent memory regions, leading to data corruption and unpredictable application behavior.

Applications that extensively rely on g_escape_uri_string() for URI manipulation are particularly vulnerable.

Mitigation and Patch Steps

The primary mitigation strategy is to update GLib to a patched version that addresses the vulnerability. Contact your Linux distribution vendor or software provider for updated packages. Check the references below for specific patch information.

• Apply Patches: Update to the latest version of GLib containing the fix for this vulnerability. See the merge request link below for details.
• Workarounds (if available): If patching is not immediately feasible, consider carefully validating the input strings passed to g_escape_uri_string() to minimize the number of characters requiring escaping. However, this should be considered a temporary measure, as it might not be foolproof.

References

• Red Hat CVE Page: CVE-2025-13601
• Red Hat Bugzilla: Bug 2416741
• GNOME GitLab Issue: glib/-/issues/3827
• GNOME GitLab Merge Request: glib/-/merge_requests/4914