CVE-2025-55298

Summary

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Affected Software

VendorProductVersion RangeStatus
ImageMagickImageMagick< 7.1.2-2affected
ImageMagickImageMagick< 6.9.13-28affected

Weaknesses

  • CWE-123: CWE-123: Write-what-where Condition
  • CWE-134: CWE-134: Use of Externally-Controlled Format String

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

CVE Program Container

Additional References

References