CVE-2025-55298
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | From 7.0.11-13 (inc) to 7.1.1-36 (inc) |
| imagemagick | imagemagick | From 7.0.11-13 (inc) to 7.1.1-36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-134 | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| CWE-123 | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a format string bug in the InterpretImageFilename function of ImageMagick. User input is passed directly to FormatLocaleString without proper sanitization, allowing an attacker to overwrite arbitrary memory regions. This can lead to various attacks including heap overflow and remote code execution.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary code remotely, potentially leading to system compromise, data loss, or service disruption.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update ImageMagick to version 6.9.13-28 or later, or 7.1.2-2 or later, where the format string bug in the InterpretImageFilename function has been patched.