CVE-2025-66628
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-10
Generated
2026-05-07
AI Q&A
2025-12-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66628
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick 7.1.2-10
imagemagick imagemagick 7.1.2-9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a critical integer overflow in the TIM image parser of ImageMagick versions 7.1.2-9 and earlier. The parser reads 16-bit width and height values from an image file and calculates the image size by multiplying these values. On 32-bit systems, this multiplication can overflow, causing the program to allocate less memory than needed. This leads to out-of-bounds memory reads when processing the image, potentially causing crashes or other unexpected behavior.


How can this vulnerability impact me? :

The vulnerability can lead to out-of-bounds memory reads, which may cause the application to crash or behave unpredictably. Since the CVSS score indicates a high confidentiality impact, it could potentially allow an attacker to read sensitive information from memory, leading to information disclosure.


What immediate steps should I take to mitigate this vulnerability?

Upgrade ImageMagick to version 7.1.2-10 or later, where the integer overflow vulnerability in the TIM image parser is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart