A proof-of-concept (PoC) exploit has been released for a critical remote code execution (RCE) vulnerability in ImageMagick 7’s MagickCore subsystem, specifically affecting the blob I/O (BlobStream) implementation.
Security researchers and the ImageMagick team urge all users and organizations to update immediately to prevent exploitation.
ImageMagick, a widely used image processing library, was found to contain a heap out-of-bounds write flaw in its SeekBlob() and WriteBlob() functions within the MagickCore/blob.c component.
This vulnerability, tracked as CVE-2025-57807 and rated CVSS 9.8 (Critical), allows attackers to corrupt memory and reliably execute arbitrary code under certain conditions.
The flaw lies in the handling of forward seeks in memory-backed blobs: seeking beyond the end of the buffer allows the subsequent write to overrun the buffer and corrupt the heap, with attacker-controlled data written at attacker-chosen offsets.
Exploit and Impact
- The root cause is a contract mismatch between
SeekBlob()(which advances the offset) andWriteBlob()(which fails to allocate sufficient memory for later writes far from the buffer’s end). This makes exploits reliable when a forward seek is performed prior to writing data. - The issue affects ImageMagick 7.1.2-0 and 7.1.2-1 (and possibly other versions with similar logic), and is architecture-agnostic on LP64 systems.
- Easy reachability of the bug means even third-party or custom encode-to-memory workflows may inadvertently introduce exploit paths.
Security researcher Lumina Mescuwa released a working proof-of-concept exploit demonstrating memory corruption following a forward seek well past the buffer’s end, followed by a write.
This provides an attacker a strong primitive for remote code execution, as heap corruption can be leveraged for process takeover or denial of service. The exploit does not require special delegates, policy changes, or arithmetic wraparounds.
Given ImageMagick’s use in web services and cloud pipelines, unsanitized workloads may allow attackers to run code remotely by simply uploading a crafted image.
Organizations using ImageMagick for image handling are at high risk if external images are processed without strict isolation.
The ImageMagick project has released patches closing this vulnerability, with 7.1.2-3 (7.x) and 6.9.13-29 (6.x) as the first safe releases.
The fix ensures that all writes are preceded by buffer expansion to meet the actual offset plus length, eliminating the out-of-bounds write. All users should:
- Upgrade ImageMagick immediately to the patched versions.
- Audit deployments and ensure no legacy builds remain in production.
- Consider hardening downstream processing to detect suspicious seeks and file writes.
Security teams worldwide are monitoring for exploit attempts. With the release of a public PoC, prompt action is essential for all environments relying on ImageMagick.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
