CVE-2025-55160
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | From 7.0.11-13 (inc) to 7.1.1-36 (inc) |
| imagemagick | imagemagick | From 7.0.11-13 (inc) to 7.1.1-36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in ImageMagick involves undefined behavior due to a function-type mismatch in the splay tree cloning callback. In sanitizer builds (with UBSan), this causes a deterministic abort, leading to a denial of service (DoS). In non-sanitized builds, it does not cause a crash. The issue has been fixed in versions 6.9.13-27 and 7.1.2-1.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) in environments where sanitizer builds are used, potentially disrupting services that rely on ImageMagick for image processing. However, in normal builds without sanitizers, it does not cause a crash.
What immediate steps should I take to mitigate this vulnerability?
Update ImageMagick to version 6.9.13-27 or later, or 7.1.2-1 or later, where the vulnerability has been patched.