CVE-2025-66909

Name of the Vulnerable Software and Affected Versions Turms AI-Serving module versions prior to v0.10.0

Description The software contains an image decompression bomb denial of service issue. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java uses OpenCV’s imread() function to load images without validating dimensions or pixel count before decompression. A crafted compressed image file (e.g., PNG) can expand to gigabytes of memory when loaded, causing memory exhaustion, an OutOfMemoryError, and service crash. No authentication is required if the OCR service is publicly accessible.

Recommendations Versions prior to v0.10.0 should be updated.