Skip to main content

Imagemagick CVE-2025-53015

HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2025-07-14 security-advisories@github.com GHSA-vmhh-8rxq-fp9g
Information Disclosure Imagemagick Red Hat Suse
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
PoC Detected
Oct 08, 2025 - 17:06 vuln.today
Public exploit code
CVE Published
Jul 14, 2025 - 20:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion command. Version 7.1.2-0 fixes the issue.

AnalysisAI

CVE-2025-53015 is a denial-of-service vulnerability in ImageMagick versions prior to 7.1.2-0 that causes infinite loops during XMP file conversion operations. An unauthenticated attacker can trigger this vulnerability remotely by submitting a maliciously crafted XMP file, resulting in resource exhaustion and service unavailability. The vulnerability has a CVSS score of 7.5 (High) due to its network-exploitable nature and availability impact, though it does not affect confidentiality or integrity.

Technical ContextAI

ImageMagick is a widely-used image processing library and command-line tool (CPE: cpe:2.3:a:imagemagick:imagemagick) that handles multiple image formats including XMP (Extensible Metadata Platform) metadata. The vulnerability resides in the XMP file parsing/conversion logic, specifically in CWE-835 (Infinite Loop), where improper control flow handling during XMP metadata processing causes the application to enter an unbounded loop. When ImageMagick processes a specially crafted XMP file through conversion commands, the parser fails to properly validate or terminate loop conditions, consuming CPU and memory resources indefinitely. This is a classic infinite loop vulnerability where the exit condition is never met due to malformed or adversarial XMP structure.

RemediationAI

Immediate remediation: upgrade ImageMagick to version 7.1.2-0 or later. Vendor patch is available as of the release date of 7.1.2-0. Interim mitigations if upgrade is delayed: (1) disable or restrict XMP file processing if not required; (2) implement input validation to reject XMP files or limit processing to trusted sources; (3) add timeout/resource limits to ImageMagick process execution (ulimit, cgroups) to prevent full system exhaustion; (4) deploy rate limiting on image upload/conversion endpoints; (5) consider using alternative image processing libraries for XMP handling if available; (6) monitor process resource usage for signs of infinite loops. For containerized deployments, rebuild images with ImageMagick 7.1.2-0+. For package managers (apt, yum, brew), update via standard channels once packages are available.

More from same product – last 7 days

CVE-2026-53460 HIGH
7.5 Jun 10

Denial of service in ImageMagick prior to 6.9.13-50 and 7.1.2-25 allows remote attackers to trigger an out-of-memory con
CVE-2026-53461 HIGH
7.5 Jun 10

Out-of-bounds heap write in ImageMagick's ICON decoder allows remote attackers to crash the application by supplying a m
CVE-2026-53465 MEDIUM
6.2 Jun 10

Heap-based buffer over-write in ImageMagick's SF3 encoder prior to version 7.1.2-25 allows an attacker who can supply a

CVE-2026-53462 MEDIUM
5.9 Jun 10

Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing
CVE-2026-53463 MEDIUM
4.3 Jun 10

Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies mal

Vendor StatusVendor

Ubuntu

Priority: Medium
imagemagick
Release Status Version
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
plucky not-affected code not present
questing not-affected 8:7.1.2.3+dfsg1-1
trusty not-affected code not present
upstream released 7.1.2-0
xenial not-affected code not present

Debian

Bug #1109339
imagemagick
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 8:6.9.11.60+dfsg-1.3+deb11u10 -
bookworm not-affected - -
bookworm (security) fixed 8:6.9.11.60+dfsg-1.6+deb12u7 -
trixie fixed 8:7.1.1.43+dfsg1-1+deb13u1 -
trixie (security) fixed 8:7.1.1.43+dfsg1-1+deb13u6 -
forky fixed 8:7.1.2.15+dfsg1-2 -
sid fixed 8:7.1.2.16+dfsg1-1 -
(unstable) fixed 8:7.1.1.47+dfsg1-2 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP6 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP6 Fixed

Share

CVE-2025-53015 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy