CVE-2025-53019
BaseFortify
Publication date: 2025-07-14
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | From 7.0.11-13 (inc) to 7.1.1-36 (inc) |
| imagemagick | imagemagick | From 7.0.11-13 (inc) to 7.1.1-36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53019 is a memory leak vulnerability in ImageMagick's `magick stream` command. It occurs when multiple consecutive `%d` format specifiers are used in a filename template, causing the program to improperly free allocated memory. This leads to a leak of memory resources during execution. The issue affects versions prior to 7.1.2-0 and 6.9.13-26 and was confirmed by testing with AddressSanitizer. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a memory leak when using the `magick stream` command with certain filename templates. The leak can reduce system availability by consuming memory resources unnecessarily, potentially leading to degraded performance or crashes if exploited repeatedly. However, it does not affect confidentiality or integrity of data. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability primarily impacts availability due to a memory leak and does not involve loss of confidentiality or integrity. Therefore, it has minimal or no direct effect on compliance with standards like GDPR or HIPAA, which focus on protecting personal data confidentiality and integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the vulnerable ImageMagick `magick stream` command with multiple consecutive `%d` format specifiers in a filename template and observing memory leaks. A suggested command to reproduce the leak is: `magick stream %d%d a a`. Running this command with AddressSanitizer enabled during build can help detect the memory leak by showing leaked bytes. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade ImageMagick to version 7.1.2-0 or later, or 6.9.13-26 or later, where the memory leak issue in the `magick stream` command has been fixed. [1]