CVE-2025-68950
Stack Overflow in ImageMagick MVG Handling Causes DoS
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | image_magick | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a denial-of-service (DoS) issue that affects availability but does not impact confidentiality or integrity of data. Since it does not lead to data breaches or unauthorized data access, it does not directly affect compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity. However, the DoS could affect system availability, which may be a consideration under some regulations, but no explicit compliance impact is detailed in the provided resources. [1]
Can you explain this vulnerability to me?
This vulnerability in ImageMagick occurs because the software fails to check for circular references between two MVG (Magick Vector Graphics) files, which leads to a stack overflow. This flaw can be triggered when reading an MVG file, causing a denial of service (DoS) condition. The issue was fixed in version 7.1.2-12.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) by triggering a stack overflow when processing specially crafted MVG files. This means that any application or system using vulnerable versions of ImageMagick that reads MVG files could be disrupted or crashed, impacting availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ImageMagick to version 7.1.2-12 or later, as this version fixes the vulnerability related to circular references in MVG files that cause a stack overflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to process MVG files that contain circular references between two MVG files, which trigger a stack overflow and cause ImageMagick to crash. A suggested command to test for this vulnerability is: magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png where L1.mvg is an MVG file crafted to have circular references. If the ImageMagick process crashes or shows stack overflow errors during this command, the system is vulnerable. Monitoring for crashes or AddressSanitizer errors in core functions like GetImagePixelCache, QueueAuthenticPixelCacheNexus, and DrawPolygonPrimitive when processing MVG files can also indicate the presence of this vulnerability. [1]