RSA BSAFE Crypto-C Out-of-Bounds Read Vulnerability

• CVE-2025-53855: A specially crafted .fadein file can cause the XML parser to write outside allocated memory. Successful exploitation can corrupt memory and may lead to program crash or further code impact on the host. This is a local file parsing issue; do not open untrusted .fadein files.
• CVE-2025-53814: A specially crafted .xml file triggers a use-after-free inside the same XML parser, which can cause heap memory corruption. An attacker who can get a user or process to load a malicious file may be able to disrupt the app or escalate impact. Treat untrusted XML files as risky.
• CVE-2025-41390: The tool’s handling of git repositories can be abused by a malicious repository to execute code when the repo is processed. A user or automated system that scans third-party or untrusted repos can be led to run attacker code. Restrict which repos are scanned and run the scanner with least privilege.
• CVE-2019-3728: ASN.1 records that are malformed can trigger integer overflows, underflows, or stack overflows during parsing. This can cause out-of-bounds reads or crashes, closing services that rely on the library. The library is at end of service; systems using vulnerable builds should be prioritized for mitigation.

RECOMMENDATION:

We strongly recommend you upgrade RSA BSAFE Crypto-C to version 6.5 or later, Crypto-C Micro Edition to version 4.0.5.4 or 4.1.4 and above, and BSAFE Micro Edition Suite to version 4.0.13 or 4.4 and above.

REFERENCES:

The following reports contain further technical details:

https://blog.talosintelligence.com/trufflehog-fade-in-and-bsafe-crypto-c-vulnerabilities/