The popular open-source image manipulation software ImageMagick has addressed four critical security vulnerabilities discovered by Google’s artificial intelligence-powered security research tool, Big Sleep.
These flaws, affecting millions of applications worldwide that rely on ImageMagick for image processing, have been patched in the latest software releases following responsible disclosure protocols.
AI Breakthrough in Cybersecurity
Google’s Big Sleep, developed collaboratively by DeepMind and Project Zero teams, represents a groundbreaking advancement in automated vulnerability detection.
The AI agent successfully identified and reproduced all four ImageMagick vulnerabilities without human intervention, though human experts conducted final reviews before disclosure.
This achievement follows Big Sleep’s previous success in preventing the exploitation of a critical SQLite vulnerability that was known only to threat actors.
- Four distinct vulnerabilities tracked as CVE-2025-55154, CVE-2025-55004, CVE-2025-55005, and CVE-2025-55160.
- CVSS scores ranging from 5.5 to 8.8, with the highest severity classified as “High”.
- BIGSLEEP identifier system used to track all AI-discovered vulnerabilities.
- Published by urban-warrior security researcher through GitHub Security Advisories.
- Responsible disclosure process followed with patches released before public disclosure.
The vulnerabilities, tracked as CVE-2025-55154 (CVSS 8.8), CVE-2025-55004 (CVSS 7.6), CVE-2025-55005 (CVSS 5.5), and CVE-2025-55160 (CVSS 6.1), were published by security researcher urban-warrior through GitHub Security Advisories.
Each vulnerability carries the BIGSLEEP identifier, indicating their discovery through Google’s AI-powered research program.
Technical Impact & Risks
The most severe vulnerability, CVE-2025-55154, involves integer overflows in MNG (Multiple-image Network Graphics) magnification calculations within the ReadOneMNGImage function.
When processing specially crafted MNG files, unsafe arithmetic operations can exceed integer boundaries, leading to heap buffer overflows and potential arbitrary code execution.
The flaw specifically affects the calculation of magnified_width values, where both multiplication and addition operations can overflow, resulting in smaller-than-required buffer allocations.
CVE-2025-55004 presents a heap-buffer overflow read vulnerability during image magnification when handling images with separate alpha channels.
This flaw can potentially leak sensitive memory contents into output images, creating confidentiality risks for applications processing user-supplied images.
The vulnerability occurs when the alpha_trait is updated mid-process, creating a mismatch between allocated buffer sizes and actual channel requirements.
The third vulnerability, CVE-2025-55005, affects log colorspace conversion handling, where insufficient bounds checking during reference-black and reference-white value processing can trigger heap-buffer overflows.
Meanwhile, CVE-2025-55160 causes undefined behavior in CloneSplayTree operations, resulting in deterministic crashes in sanitizer-enabled builds, though it poses minimal security risk in standard deployments.
ImageMagick users must immediately upgrade to the patched versions to protect against these vulnerabilities.
For the 7.x branch, version 7.1.2-1 addresses all four flaws, while legacy 6.x users should update to version 6.9.13-27.
Organizations using ImageMagick in web applications, content management systems, and automated image processing workflows face particular risk, as these vulnerabilities can be triggered through network-transmitted malicious images.
Security experts recommend implementing additional protective measures beyond patching, including strict input validation for image files, applying restrictive security policies that limit image dimensions, and monitoring image processing operations for anomalies.
The discovery of these vulnerabilities underscores ImageMagick’s complex security landscape, with the software historically experiencing numerous memory safety issues due to its support for over 200 image formats.
This breakthrough demonstrates the transformative potential of AI in cybersecurity, with Big Sleep now actively securing both Google’s ecosystem and open-source projects.
As Royal Hansen, Google’s vice president of engineering, noted, these findings represent “a new frontier in automated vulnerability discovery”, suggesting that AI-powered security tools will play an increasingly crucial role in identifying and preventing cyber threats before they can be exploited in real-world attacks.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
