A critical security vulnerability has been discovered in ImageMagick, the widely used open-source image processing software, that could allow attackers to execute arbitrary code remotely.
The vulnerability, tracked as CVE-2025-57803 with a severity score of 9.8 out of 10, affects 32-bit builds of ImageMagick versions before 7.1.2-2 and 6.9.13-28.
The Vulnerability Details
The security flaw stems from a 32-bit integer overflow in ImageMagick’s BMP (Bitmap) encoder, specifically within the WriteBMPImage function.
| Item | Details |
| CVE ID | CVE-2025-57803 |
| Vulnerability | 32-bit integer overflow in BMP encoder (WriteBMPImage) leading to heap buffer overflow |
| Affected Versions | ImageMagick < 7.1.2-2 (7.x branch) ImageMagick < 6.9.13-28 (6.x branch) |
| Patched Versions | 7.1.2-2 6.9.13-28 |
| Severity (CVSS v3.1) | 9.8 (Critical) |
When processing images for conversion to BMP format, a mathematical overflow occurs during scanline-stride computation, causing the bytes_per_line value to collapse to an extremely small number while the image writer continues to output the expected amount of data per row.
Dirk Lemstra, the maintainer of ImageMagick and its .NET library Magick.NET, published the security advisory GHSA-mxvv-97wh-cfmm addressing this critical issue.
The vulnerability creates a classic heap corruption primitive that attackers can exploit in common auto-convert pipelines used by web applications and services.
The vulnerability manifests when processing specially crafted images with widths exceeding 178,956,969 pixels on 32-bit systems.
In such cases, the integer overflow causes the stride calculation to produce a tiny bytes_per_line value of just 688 bytes, while the actual per-row data requires over 536 million bytes.
This massive mismatch results in heap buffer overflow, allowing attackers to write controlled data far beyond allocated memory boundaries.
The attack vector is particularly concerning because it can be triggered through network-accessible conversion services without requiring authentication or user interaction.
Many web applications and cloud services automatically process uploaded images, converting them to various formats, including BMP, making them vulnerable to this exploit.
32-bit ImageMagick installations are vulnerable to this attack, while 64-bit systems are protected from this specific integer overflow due to larger address space arithmetic. However, the maintainers recommend applying patches to all systems as additional safety measures.
The vulnerability can be exploited through typical upload-and-convert workflows where users upload images that are automatically processed by server-side ImageMagick instances. Attackers can craft malicious images that trigger the overflow when converted to BMP format, potentially leading to:
- Remote code execution through heap manipulation
- Denial of service attacks causing application crashes
- Memory corruption that could compromise system integrity
Immediate Action Required
ImageMagick users should immediately update to the patched versions:
- Version 7.1.2-2 or later for the 7.x branch
- Version 6.9.13-28 or later for the 6.x branch
The patches implement comprehensive arithmetic guards around stride computation and enforce safety invariants to prevent the integer overflow condition.
The fix includes validation of width and bits-per-pixel values before stride calculation, ensuring that row data cannot exceed allocated buffer boundaries.
- Regular security auditing of image processing pipelines
- Implementing defense-in-depth measures beyond library updates
- Monitoring for unusual image processing requests that could indicate exploitation attempts
Organizations using ImageMagick should prioritize this update and review their image processing workflows to ensure proper input validation and resource limits are in place.
The vulnerability serves as a reminder that seemingly benign image conversion operations can become critical attack vectors when processing untrusted content.
System administrators should also verify the architecture and update procedures of their ImageMagick installations, as this vulnerability specifically affects 32-bit builds that may still be deployed in legacy environments or containerized applications.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
