We are using Gateway 11.1.2 OVA. Our team has identified the below vulnerabilities in their latest scan.

Note :- The report was taken post applying the Layer7_API_PlatformUpdate_64bit_v11.1-Debian-2025-11-25.L7P patch

• CVE-2025-65018 (High Severity - CVSS 7.1): A heap buffer overflow in the simplified API function png_image_finish_read. It occurs when processing 16-bit interlaced PNGs with an 8-bit output format. This is the most critical of the set as it could potentially lead to arbitrary code execution through heap corruption.
  
  
• CVE-2025-64720 (High Severity - CVSS 7.1): An out-of-bounds read in png_image_read_composite. It is triggered by palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled, where incorrect background compositing violates internal API invariants. This can lead to application crashes or information disclosure.
  
  
• CVE-2025-64505 (Moderate Severity - CVSS 6.1): A heap buffer over-read in png_do_quantize. It stems from improper validation of malformed palette indices, allowing an attacker to read out-of-bounds memory.
  
  
• CVE-2025-64506 (Moderate Severity - CVSS 6.1): A heap buffer over-read in png_write_image_8bit. An incorrect conditional guard allows 8-bit input to enter code paths expecting 16-bit input, causing reads up to 2 bytes beyond the buffer.
  
  
• CVE-2025-66293 (Under Evaluation): While this identifier is part of the same late-2025 testing cycle for libpng, specific technical details for this particular ID are less widely documented in public primary repositories compared to the others. It likely represents another variant of the buffer/memory handling flaws discovered during the same research period.

All supported versions of API Layer7 Gateway application.

Vulnerability.

• Impact: None. The Gateway application does not utilize libpng as a functional dependency; the package is present only as a default component of the base Debian OS.
• Status: Not Affected / Mitigated.