CVE-2025-61594

Published Dec 30, 2025

Last updated a month ago

FFmpeg

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-61594 refers to a URI credential leakage vulnerability that bypasses previous fixes. A security advisory regarding this vulnerability has been published. Additionally, CVE-2025-1594 describes a critical vulnerability in FFmpeg up to version 7.1. It affects the `ff_aac_search_for_tns` function in `libavcodec/aacenc_tns.c` of the AAC Encoder component. Exploitation of this vulnerability can lead to a stack-based buffer overflow, which can be initiated remotely.

Description: URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 4.0

Type: Secondary
Base score: 2.7
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: LOW

Weaknesses

security-advisories@github.com: CWE-212

Hype score: Not currently trending

References