Summary
The iOS MLKitTextRecognitionCommon.framework statically bundles outdated copies of
libpng and libtiff that are affected by recently disclosed CVEs. Because these libraries
are compiled into Google's pre-built binary, downstream SDKs and apps cannot patch them
and are flagged by enterprise security scanners.
Affected SDK
- Pod:
GoogleMLKit/TextRecognition (verified across versions 6.0.0 through 9.0.0)
- Framework:
MLKitTextRecognitionCommon.framework
- Platform: iOS
Bundled library versions (verified via strings on the published pod binary)
| Library |
Version in framework |
Affected CVEs |
Fixed upstream in |
| libpng |
1.6.38 (Sep 14, 2022) |
CVE-2025-64720, CVE-2025-65018 |
libpng 1.6.51 (Nov 22, 2025) |
| libtiff |
4.6.0–4.7.0 (varies by Common version) |
CVE-2025-9900 |
libtiff 4.7.1 |
| libjpeg-turbo |
2.1.5.1 |
(informational, not flagged) |
— |
How to reproduce
# After `pod install` of GoogleMLKit/TextRecognition:
BIN=Pods/MLKitTextRecognitionCommon/Frameworks/MLKitTextRecognitionCommon.framework/MLKitTextRecognitionCommon
strings "$BIN" | grep -iE "libpng version|LIBTIFF, Version"
# Output includes:
# libpng version 1.6.38
# LIBTIFF, Version 4.6.0 (or 4.7.0 on newer Common releases)
Summary
The iOS
MLKitTextRecognitionCommon.frameworkstatically bundles outdated copies oflibpng and libtiff that are affected by recently disclosed CVEs. Because these libraries
are compiled into Google's pre-built binary, downstream SDKs and apps cannot patch them
and are flagged by enterprise security scanners.
Affected SDK
GoogleMLKit/TextRecognition(verified across versions 6.0.0 through 9.0.0)MLKitTextRecognitionCommon.frameworkBundled library versions (verified via
stringson the published pod binary)How to reproduce