What is the CVSS score of CVE-2025-53015?

CVE-2025-53015 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Imagemagick are affected by CVE-2025-53015?

CVE-2025-53015 affects ImageMagick, a widely-used image processing tool, and could allow attackers to cause service disruptions through malicious XMP file conversions.. A patch is available.

Is there a public PoC exploit available for CVE-2025-53015?

Yes, a public proof-of-concept exploit is available for CVE-2025-53015. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-53015?

Within 24 hours: Inventory all systems running ImageMagick and identify which handle external or untrusted image files. Within 7 days: Implement input validation to reject XMP-embedded files from untrusted sources, disable XMP processing if not business-critical, and apply network segmentation to limit exposure. Within 30 days: Monitor vendor release channels for patch 7.1.2-0 availability and establish a testing/deployment plan for immediate application upon release.

Imagemagick CVE-2025-53015

HIGH

Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)

2025-07-14 security-advisories@github.com

GHSA-vmhh-8rxq-fp9g

Information Disclosure Red Hat Imagemagick Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

PoC Detected

Oct 08, 2025 - 17:06 vuln.today

Public exploit code

CVE Published

Jul 14, 2025 - 20:15 nvd

HIGH 7.5

DescriptionNVD

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion command. Version 7.1.2-0 fixes the issue.

AnalysisAI

CVE-2025-53015 is a denial-of-service vulnerability in ImageMagick versions prior to 7.1.2-0 that causes infinite loops during XMP file conversion operations. An unauthenticated attacker can trigger this vulnerability remotely by submitting a maliciously crafted XMP file, resulting in resource exhaustion and service unavailability. The vulnerability has a CVSS score of 7.5 (High) due to its network-exploitable nature and availability impact, though it does not affect confidentiality or integrity.

Technical ContextAI

ImageMagick is a widely-used image processing library and command-line tool (CPE: cpe:2.3:a:imagemagick:imagemagick) that handles multiple image formats including XMP (Extensible Metadata Platform) metadata. The vulnerability resides in the XMP file parsing/conversion logic, specifically in CWE-835 (Infinite Loop), where improper control flow handling during XMP metadata processing causes the application to enter an unbounded loop. When ImageMagick processes a specially crafted XMP file through conversion commands, the parser fails to properly validate or terminate loop conditions, consuming CPU and memory resources indefinitely. This is a classic infinite loop vulnerability where the exit condition is never met due to malformed or adversarial XMP structure.

RemediationAI

Immediate remediation: upgrade ImageMagick to version 7.1.2-0 or later. Vendor patch is available as of the release date of 7.1.2-0. Interim mitigations if upgrade is delayed: (1) disable or restrict XMP file processing if not required; (2) implement input validation to reject XMP files or limit processing to trusted sources; (3) add timeout/resource limits to ImageMagick process execution (ulimit, cgroups) to prevent full system exhaustion; (4) deploy rate limiting on image upload/conversion endpoints; (5) consider using alternative image processing libraries for XMP handling if available; (6) monitor process resource usage for signs of infinite loops. For containerized deployments, rebuild images with ImageMagick 7.1.2-0+. For package managers (apt, yum, brew), update via standard channels once packages are available.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Ubuntu

Priority: Medium

imagemagick

Release	Status	Version
bionic	not-affected	code not present
focal	not-affected	code not present
jammy	not-affected	code not present
noble	not-affected	code not present
plucky	not-affected	code not present
questing	not-affected	8:7.1.2.3+dfsg1-1
trusty	not-affected	code not present
upstream	released	7.1.2-0
xenial	not-affected	code not present

Debian

Bug #1109339

imagemagick

Release	Status	Fixed Version	Urgency
bullseye	not-affected	-	-
bullseye (security)	fixed	8:6.9.11.60+dfsg-1.3+deb11u10	-
bookworm	not-affected	-	-
bookworm (security)	fixed	8:6.9.11.60+dfsg-1.6+deb12u7	-
trixie	fixed	8:7.1.1.43+dfsg1-1+deb13u1	-
trixie (security)	fixed	8:7.1.1.43+dfsg1-1+deb13u6	-
forky	fixed	8:7.1.2.15+dfsg1-2	-
sid	fixed	8:7.1.2.16+dfsg1-1	-
(unstable)	fixed	8:7.1.1.47+dfsg1-2	-

CVE-2025-53015 vulnerability details – vuln.today

Back

Imagemagick CVE-2025-53015

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code