Background While looking at one of my favourite bug bounty programs, I noticed they were using ExifTool to strip tags from uploaded images. I’d used ExifTool numerous times in the past but didn’t even know what language it was written in. An older version was being used (11.70), so I thought maybe there could be some existing CVEs that could be abused, as parsing file formats is hard. A quick search showed only one old CVE from 2018, so decided to look at the source instead. It turns out that it...