Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector because encrypted images traverse networks; AC:H for required same-nonce ciphertext collection; PR:N since no authentication to ImageMagick itself is needed; C:L for partial plaintext recovery only.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.
AnalysisAI
Nonce reuse in ImageMagick's AES-CTR cipher implementation exposes encrypted image plaintext to recovery attacks. The PasskeyEncipherImage method in ImageMagick before 7.1.2-22 reuses nonces when performing AES in Counter mode, violating the fundamental security requirement that a nonce be used exactly once per key. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target deployment actively use ImageMagick's PasskeyEncipherImage feature to encrypt image files - organizations that do not invoke this specific method are not exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 reflects a meaningful but bounded risk: AV:N indicates the attack is network-reachable (encrypted images can traverse networks), AC:H signals high attack complexity, and AT:P confirms that specific preconditions must be met beyond the attacker's direct control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can collect two or more image files encrypted with ImageMagick's PasskeyEncipherImage using the same passkey and nonce - for example, by monitoring a file-sharing endpoint, cloud storage bucket, or backup pipeline - XORs the raw ciphertext blobs to obtain the XOR of the two plaintexts. Using standard image-structure knowledge (e.g., predictable headers, color patterns, or repeated regions), the attacker reconstructs one or both original images. … |
| Remediation | Upgrade ImageMagick to version 7.1.2-22 or later, which resolves the AES-CTR nonce reuse in PasskeyEncipherImage. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Imagemagick
View allHeap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d
CVE-2025-53015 is a denial-of-service vulnerability in ImageMagick versions prior to 7.1.2-0 that causes infinite loops
A remote code execution vulnerability in versions (CVSS 7.4). Risk factors: public PoC available. Vendor patch is availa
ImageMagick and Magick.NET versions 14.10.1 and below are vulnerable to denial of service attacks through a null pointer
Stack buffer overflow in ImageMagick's MSL (Magick Scripting Language) parser allows remote attackers to corrupt memory
Imagemagick versions up to 7.1.2-13 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).
Integer overflow in ImageMagick's UHDR image decoder allows remote attackers to trigger heap buffer overflows by supplyi
High severity vulnerability in ImageMagick. An integer overflow in DIB coder can result in out of bounds read or write
High severity vulnerability in ImageMagick. MagnifyImage uses a fixed-size stack buffer. When using a specific image it
Denial of service in ImageMagick affects Alpine Linux package versions prior to 7.1.2.24-r0, where improper input valida
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service when processing maliciously cra
Imagemagick versions up to 7.1.2-15 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Same weakness CWE-323 – Reusing a Nonce, Key Pair in Encryption
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40449
GHSA-vgqj-4jhr-3wh5