Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-53014

LOW
Published 2025-07-14T17:59:25.533Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-53014. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
3.7
/10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
LOW
Integrity
NONE
Availability
NONE

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

ImageMagick

ImageMagick

Affected Versions:

< 7.1.2-0 < 6.9.13-26

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

Not EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue.

Affected Products (ENISA)

imagemagick
imagemagick

ENISA Scoring

CVSS Score (3.1)

3.7
/10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score

0.060
probability

ENISA References

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f

Data provided by ENISA EU Vulnerability Database. Last updated: July 14, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

ImageMagick has a Heap Buffer Overflow in InterpretImageFilename

GHSA-hm4x-r5hc-794f

Advisory Details

# Heap Buffer Overflow in InterpretImageFilename ## Summary A heap buffer overflow was identified in the `InterpretImageFilename` function of ImageMagick. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). ## Environment - **OS**: Arch Linux (Linux gmkhost 6.14.2-arch1-1 # 1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 18:43:59 +0000 x86_64 GNU/Linux (GNU libc) 2.41) - **Architecture**: x86_64 - **Compiler**: gcc (GCC) 15.1.1 20250425 ## Reproduction ### Build Instructions ```bash # Clone the repository git clone https://github.com/ImageMagick/ImageMagick.git cd ImageMagick git reset --hard 8fff9b4f44d2e8b5cae2bd6db70930a144d15f12 # Build with AddressSanitizer export CFLAGS="-fsanitize=address -g -O1" export CXXFLAGS="-fsanitize=address -g -O1" export LDFLAGS="-fsanitizer=address" ./configure make # Set library path and trigger the crash export LD_LIBRARY_PATH="$(pwd)/MagickWand/.libs:$(pwd)/MagickCore/.libs:$LD_LIBRARY_PATH" ./utilities/.libs/magick %% a ``` ### Minimum Trigger ```bash ./utilities/.libs/magick %% [any_output_filename] ``` ## Crash Analysis ### AddressSanitizer Output ``` $ ./utilities/.libs/magick %% a ================================================================= ==2227694==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7037f99e3ad3 at pc 0x741801e81a17 bp 0x7ffd22fa4e00 sp 0x7ffd22fa45b8 READ of size 1 at 0x7037f99e3ad3 thread T0 #0 0x741801e81a16 in strchr /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:746 #1 0x7418013b4f06 in InterpretImageFilename MagickCore/image.c:1674 #2 0x7418012826a3 in ReadImages MagickCore/constitute.c:1040 #3 0x741800e4696b in CLINoImageOperator MagickWand/operation.c:4959 #4 0x741800e64de7 in CLIOption MagickWand/operation.c:5473 #5 0x741800d92edf in ProcessCommandOptions MagickWand/magick-cli.c:653 #6 0x741800d94816 in MagickImageCommand MagickWand/magick-cli.c:1392 #7 0x741800d913e4 in MagickCommandGenesis MagickWand/magick-cli.c:177 #8 0x5ef7a3546638 in MagickMain utilities/magick.c:162 #9 0x5ef7a3546872 in main utilities/magick.c:193 #10 0x7417ff53f6b4 (/usr/lib/libc.so.6+0x276b4) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35) #11 0x7417ff53f768 in __libc_start_main (/usr/lib/libc.so.6+0x27768) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35) #12 0x5ef7a3546204 in _start (/home/kforfk/workspace/fuzz_analysis/saigen/ImageMagick/utilities/.libs/magick+0x2204) (BuildId: 96677b60628cf297eaedb3eb17b87000d29403f2) 0x7037f99e3ad3 is located 0 bytes after 3-byte region [0x7037f99e3ad0,0x7037f99e3ad3) allocated by thread T0 here: #0 0x741801f20e15 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:67 #1 0x7418013e86bc in AcquireMagickMemory MagickCore/memory.c:559 SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/image.c:1674 in InterpretImageFilename Shadow bytes around the buggy address: 0x7037f99e3800: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa 0x7037f99e3880: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa 0x7037f99e3900: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa 0x7037f99e3980: fa fa 07 fa fa fa 00 fa fa fa fd fa fa fa fd fa 0x7037f99e3a00: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa 00 04 =>0x7037f99e3a80: fa fa 00 04 fa fa 00 00 fa fa[03]fa fa fa 03 fa 0x7037f99e3b00: fa fa 00 01 fa fa fa fa fa fa fa fa fa fa fa fa 0x7037f99e3b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7037f99e3c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7037f99e3c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7037f99e3d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2227694==ABORTING ``` ## Root Cause Analysis The first command line argument is interpreted as `MagickImageCommand`: https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/utilities/magick.c#L83 ```c const CommandInfo MagickCommands[] = { MagickCommandSize("magick", MagickFalse, MagickImageCommand), ``` It is invoked here: https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L220 ```c status=command(image_info,argc,argv,&text,exception); ``` The execution then follows this path: - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L1387 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L586 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/magick-cli.c#L419 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/operation.c#L5391 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/operation.c#L5473 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickWand/operation.c#L4959 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/constitute.c#L1009 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/constitute.c#L1039 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/image.c#L1649 - https://github.com/ImageMagick/ImageMagick/blob/8fff9b4f44d2e8b5cae2bd6db70930a144d15f12/MagickCore/image.c#L1674 The execution eventually reaches `InterpretImageFilename` and enters a loop. The `format` variable here is `"%%"`. At this point, it is safe to access `*(format + 2)` but not safe to access `*(format + 3)`. ```c for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) { q=(char *) p+1; if (*q == '%') { p=q+1; continue; } ``` The first `strchr` call returns a pointer equal to `format` and assigns it to `p`. Then `q` is initialized with `p + 1` (`format + 1`), and `*q` is `'%'`, so the code enters the if branch. Here, `p` is reassigned to `q + 1` (`format + 2`). In the next iteration, `p + 1` (`format + 3`) is passed to `strchr`, and when `strchr` accesses it, this causes an out-of-bounds read.

Affected Packages

NuGet Magick.NET-Q16-AnyCPU
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-HDRI-AnyCPU
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-HDRI-OpenMP-arm64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-HDRI-OpenMP-x64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-HDRI-arm64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-HDRI-x64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-HDRI-x86
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-OpenMP-arm64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-OpenMP-x64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-arm64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-x64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q16-x86
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q8-AnyCPU
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q8-OpenMP-arm64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q8-OpenMP-x64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q8-arm64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q8-x64
ECOSYSTEM: ≥0 <14.7.0
NuGet Magick.NET-Q8-x86
ECOSYSTEM: ≥0 <14.7.0

CVSS Scoring

CVSS Score

2.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

WEB https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-53014
WEB https://github.com/ImageMagick/ImageMagick/commit/29d82726c7ec20c07c49ba263bdcea16c2618e03
WEB https://github.com/ImageMagick/ImageMagick6/commit/79b6ed03770781d996d1710b89fbb887e5ea758a
PACKAGE https://github.com/ImageMagick/ImageMagick
WEB https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0

Advisory provided by GitHub Security Advisory Database. Published: August 25, 2025, Modified: August 25, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post
Reddit 6 days, 7 hours ago
michaelpaoli

Debian 13.1 (and 12.12) 2025-09-06 "Just" a "minor" point release. But for those that have been waiting to upgrade to Debian 13, perhaps that time now draws nearer? [\[SUA 273-1\] Upcoming Debian 13 Update (13.1)](https://lists.debian.org/debian-stable-announce/2025/09/msg00000.html) [\[SUA 274-1\] Upcoming Debian 12 Update (12.12)](https://lists.debian.org/debian-stable-announce/2025/09/msg00001.html) 13.1: >\[SUA 273-1\] Upcoming Debian 13 Update (13.1) …

Also mentions: CVE-2025-7039 CVE-2025-40927 CVE-2025-9185 CVE-2025-9181 CVE-2025-47806 CVE-2025-47219 CVE-2025-47807 CVE-2025-47808 CVE-2025-53859 CVE-2025-50952 CVE-2025-54798 CVE-2025-54874 CVE-2025-54350 CVE-2025-54349 CVE-2025-27613 CVE-2025-27614 CVE-2025-20260 CVE-2025-23048 CVE-2025-46835 CVE-2025-49812 CVE-2025-49630 CVE-2025-53019 CVE-2025-53101 CVE-2025-53020 CVE-2025-8058 CVE-2024-42516 CVE-2024-43394 CVE-2024-43204 CVE-2024-47252 CVE-2025-6965 CVE-2025-7394 CVE-2025-7783 CVE-2025-53015 CVE-2025-48385 CVE-2025-48384 CVE-2024-25178 CVE-2024-25177 CVE-2024-25176 CVE-2025-4748 CVE-2024-6174 CVE-2024-11584 CVE-2025-6170 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-5916 CVE-2025-5915 CVE-2025-5914 CVE-2025-5917 CVE-2025-49133 CVE-2025-48387 CVE-2025-27553 CVE-2025-27773 CVE-2025-48734 CVE-2025-46712 CVE-2025-46393 CVE-2025-46398 CVE-2025-46397 CVE-2025-47203 CVE-2023-52970 CVE-2023-26819 CVE-2025-40908 CVE-2025-40909 CVE-2025-4373 CVE-2023-53154 CVE-2025-2784 CVE-2025-48060 CVE-2025-47273 CVE-2025-4802 CVE-2025-46399 CVE-2025-46400 CVE-2025-46337 CVE-2025-32050 CVE-2025-46421 CVE-2025-46420 CVE-2025-43965 CVE-2025-43964 CVE-2025-43963 CVE-2025-43962 CVE-2025-43961 CVE-2025-3818 CVE-2025-32906 CVE-2025-32912 CVE-2025-32911 CVE-2025-30722 CVE-2025-30693 CVE-2025-3576 CVE-2025-32910 CVE-2025-32909 CVE-2025-32913 CVE-2025-32053 CVE-2025-32052 CVE-2025-32051 CVE-2024-12905 CVE-2025-30472 CVE-2024-6866 CVE-2024-6844 CVE-2024-6839 CVE-2024-8176 CVE-2023-52971 CVE-2023-52969 CVE-2025-27516 CVE-2025-27221 CVE-2022-37660 CVE-2024-56161 CVE-2025-20128 CVE-2025-23016 CVE-2024-34703 CVE-2024-34702 CVE-2024-45236 CVE-2024-45234 CVE-2024-45235 CVE-2024-45238 CVE-2024-45237 CVE-2024-45239 CVE-2024-0962 CVE-2024-10525 CVE-2024-31031 CVE-2024-38875 CVE-2024-57822 CVE-2024-57823 CVE-2024-3935 CVE-2024-42005 CVE-2024-39330 CVE-2024-39329 CVE-2024-39917 CVE-2024-39312 CVE-2024-39614 CVE-2024-52532 CVE-2024-52530 CVE-2024-52531 CVE-2024-33899 CVE-2024-50602 CVE-2024-50624 CVE-2024-50383 CVE-2024-50612 CVE-2024-5569 CVE-2024-49768 CVE-2024-49769 CVE-2024-1681 CVE-2024-41991 CVE-2024-41990 CVE-2024-41989 CVE-2024-8376 CVE-2023-36053 CVE-2023-31484 CVE-2023-28755 CVE-2023-28366 CVE-2023-42822 CVE-2023-52425 CVE-2023-40184 CVE-2022-33065 CVE-2021-46312 CVE-2021-46310 CVE-2021-25743 CVE-2019-25211
70
8
86.0
View Original

References

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hm4x-r5hc-794f
Published: 2025-07-14T17:59:25.533Z
Last Modified: 2025-07-14T18:26:16.271Z
Copied to clipboard!