Multiple ImageMagick Vulnerabilities Cause Memory Corruption and Integer Overflows

Multiple ImageMagick Vulnerabilities Cause Memory Corruption and Integer Overflows

Security researchers have uncovered four serious vulnerabilities in ImageMagick, one of the world’s most widely used open-source image processing software suites, potentially exposing millions of users to security risks.

The vulnerabilities, discovered by researcher “urban-warrior” and published three days ago, include two high-severity flaws that could allow attackers to execute malicious code through specially crafted image files.

ImageMagick developers have already released patches addressing these issues, but organizations and individual users are urged to update their installations immediately to prevent potential exploitation.

Google News

The most severe vulnerabilities center around ImageMagick’s handling of MNG (Multiple-image Network Graphics) file format, specifically in the image magnification functionality.

Critical Memory Corruption Flaws

The first critical flaw, tracked as CVE-2025-55154 with the internal identifier BIGSLEEP-435153105, involves integer overflow vulnerabilities in the MNG magnification calculations.

When processing maliciously crafted MNG files, the software performs unsafe calculations that can overflow, leading to memory corruption and potential code execution.

The vulnerability occurs in the ReadOneMNGImage function within the coders/png.c file, where magnified size calculations use 32-bit unsigned integers that can overflow when processing images with large dimensions.

This overflow causes the software to allocate insufficient memory buffers while still using the original, larger parameters for magnification operations, resulting in out-of-bounds writes to heap memory with controlled data.

A second high-severity vulnerability, CVE-2025-55004 (BIGSLEEP-436829309), affects the same magnification functionality but specifically targets images with alpha channels.

This flaw creates heap buffer overflow conditions when ImageMagick processes MNG files containing separate alpha channel data, potentially allowing attackers to leak memory contents into output images or cause application crashes.

The discovered vulnerabilities exploit fundamental weaknesses in ImageMagick’s memory management and input validation systems. The key technical characteristics of these flaws include:

  • Integer Overflow Exploitation: Requires images with dimensions approaching 65,535 pixels, typically prevented by default security policies limiting dimensions to 8,000 pixels.
  • Alpha Channel Bypass: Can be triggered without violating standard security policies, making it particularly dangerous for production environments.
  • Memory Allocation Mismatch: Creates discrepancies between allocated buffer sizes and actual processing requirements.
  • Heap Buffer Corruption: Enables out-of-bounds memory writes with attacker-controlled data.

The alpha channel vulnerability presents a particularly concerning attack vector because it can be triggered without violating standard security policies.

The flaw occurs when ImageMagick updates image metadata to include alpha channel information after initially calculating buffer sizes, creating a mismatch between allocated memory and actual requirements during subsequent processing operations.

Two additional moderate-severity vulnerabilities compound the security concerns. CVE-2025-55005 (BIGSLEEP-435156754) affects log colorspace handling, where improper validation of reference-black and reference-white values can cause heap buffer overflows when these values exceed 1024.

The fourth vulnerability, CVE-2025-55160, involves undefined behavior in the CloneSplayTree function, which could lead to application crashes in sanitizer-enabled builds.

Patches & Recommendations

ImageMagick developers have responded swiftly to these discoveries, releasing patched versions that address all identified vulnerabilities.

Users of ImageMagick 7.x should upgrade to version 7.1.2-1 or later, while those using the legacy 6.x branch should update to version 6.9.13-27 or newer.

The patches implement proper bounds checking, fix memory allocation calculations, and resolve the function pointer type mismatches that enabled these vulnerabilities.

Organizations relying on ImageMagick for web applications, content management systems, or automated image processing workflows should prioritize these updates immediately.

The network-based attack vector of the primary vulnerabilities, combined with their high CVSS scores ranging from 8.8 to 9.8, indicates that successful exploitation could lead to complete system compromise.

Security administrators should also review their ImageMagick security policies, ensuring that appropriate limits remain in place for image dimensions, file sizes, and supported formats.

While the websafe security policy would block some of these vulnerabilities, the alpha channel flaw demonstrates that restrictive policies alone cannot provide complete protection.

The discovery of these vulnerabilities highlights the ongoing security challenges facing widely-deployed open-source software, particularly tools that process untrusted input from external sources.

Regular security auditing and prompt patch deployment remain essential components of maintaining secure image processing infrastructures.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.