CVE-2025-68950
Unknown Unknown - Not Provided
Stack Overflow in ImageMagick MVG Handling Causes DoS

Publication date: 2025-12-30

Last updated on: 2025-12-30

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected. Version 7.1.2-12 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2025-12-30
Generated
2026-06-16
AI Q&A
2025-12-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68950
EUVD
EUVD-2025-205804
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagemagick image_magick *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a denial-of-service (DoS) issue that affects availability but does not impact confidentiality or integrity of data. Since it does not lead to data breaches or unauthorized data access, it does not directly affect compliance with standards like GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity. However, the DoS could affect system availability, which may be a consideration under some regulations, but no explicit compliance impact is detailed in the provided resources. [1]

Executive Summary

This vulnerability in ImageMagick occurs because the software fails to check for circular references between two MVG (Magick Vector Graphics) files, which leads to a stack overflow. This flaw can be triggered when reading an MVG file, causing a denial of service (DoS) condition. The issue was fixed in version 7.1.2-12.

Impact Analysis

The vulnerability can cause a denial of service (DoS) by triggering a stack overflow when processing specially crafted MVG files. This means that any application or system using vulnerable versions of ImageMagick that reads MVG files could be disrupted or crashed, impacting availability.

Mitigation Strategies

Upgrade ImageMagick to version 7.1.2-12 or later, as this version fixes the vulnerability related to circular references in MVG files that cause a stack overflow.

Detection Guidance

This vulnerability can be detected by attempting to process MVG files that contain circular references between two MVG files, which trigger a stack overflow and cause ImageMagick to crash. A suggested command to test for this vulnerability is: magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png where L1.mvg is an MVG file crafted to have circular references. If the ImageMagick process crashes or shows stack overflow errors during this command, the system is vulnerable. Monitoring for crashes or AddressSanitizer errors in core functions like GetImagePixelCache, QueueAuthenticPixelCacheNexus, and DrawPolygonPrimitive when processing MVG files can also indicate the presence of this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart