CVE-2025-55298
published 2025-08-26CVE-2025-55298: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.06%
89.4th percentile
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | imagemagick | < imagemagick 8:6.9.11.60+dfsg-1.6+deb12u4 (bookworm) | imagemagick 8:6.9.11.60+dfsg-1.6+deb12u4 (bookworm) |
| imagemagick | imagemagick | < 7.1.2-2 | 7.1.2-2 |
| imagemagick | imagemagick | < 6.9.13-28 | 6.9.13-28 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.3+deb11u6 | 8:6.9.11.60+dfsg-1.3+deb11u6 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.6+deb12u4 | 8:6.9.11.60+dfsg-1.6+deb12u4 |
| imagemagick | imagemagick | >= 0 < 8:7.1.1.43+dfsg1-1+deb13u2 | 8:7.1.1.43+dfsg1-1+deb13u2 |
| imagemagick | imagemagick | >= 0 < 8:7.1.2.3+dfsg1-1 | 8:7.1.2.3+dfsg1-1 |
| imagemagick | imagemagick | >= 0 < 8:6.7.7.10-6ubuntu3.13+esm15 | 8:6.7.7.10-6ubuntu3.13+esm15 |
| imagemagick | imagemagick | >= 0 < 8:6.8.9.9-7ubuntu5.16+esm14 | 8:6.8.9.9-7ubuntu5.16+esm14 |
| imagemagick | imagemagick | >= 0 < 8:6.9.7.4+dfsg-16ubuntu6.15+esm6 | 8:6.9.7.4+dfsg-16ubuntu6.15+esm6 |
| imagemagick | imagemagick | >= 0 < 8:6.9.10.23+dfsg-2.1ubuntu11.11+esm4 | 8:6.9.10.23+dfsg-2.1ubuntu11.11+esm4 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5+esm4 | 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5+esm4 |
| imagemagick | imagemagick | >= 0 < 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm3 | 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm3 |
| imagemagick | imagemagick | >= 7.0.0-0 < 7.1.2-2 | 7.1.2-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag image filenames containing printf-style format specifiers (%d, %o, %x, etc.) passed to ImageMagick's InterpretImageFilename / FormatLocaleString code path — these are the crafted inputs that trigger the vulnerability. ↗
- →Monitor ImageMagick process invocations where filenames supplied on the command line or via wrappers contain % characters followed by conversion specifiers (d, o, x, s, n, etc.), which are the attack vector for this format string bug. ↗
- →Detect vulnerable ImageMagick versions: any release prior to 6.9.13-28 (6.x branch) or 7.1.2-2 (7.x branch) is unpatched and susceptible to this format string RCE. ↗
- →As a workaround/detection bypass indicator: absence of the '-define filename:literal=true' flag (or 'filename:literal' wrapper directive) in ImageMagick invocations means format string parsing is active and exploitation is possible. ↗
- ·Default Red Hat Enterprise Linux mitigations (SELinux, ASLR, memory protections) reduce exploitability to denial-of-service in practice; however, the vulnerability still exists in unpatched ImageMagick builds on those platforms. ↗
- ·ImageMagick is not shipped in Red Hat Enterprise Linux 8, 9, or 10, so those RHEL versions are not affected and do not require patching. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
imagemagick vulnerabilities
osv·2025-10-08·CVSS 8.8
CVE-2025-55298 [HIGH] imagemagick vulnerabilities
imagemagick vulnerabilities
Woojin Park, Hojun Lee, Yougin Won and Siyeon Han discovered that
ImageMagick did not properly sanitize image file names. An attacker could
possibly use this issue to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2025-55298)
Lumina Mescuwa discovered that ImageMagick did not properly handle memory
when encoding BMP images. An attacker could possibly use this issue to
cause ImageMagick to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2025-57803)
OSV
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
osv·2025-08-26
CVE-2025-55298 [HIGH] ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
## Summary
A format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString` without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution.
## Details
### root cause
```
MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Image *image,const char *format,int value,char *filename,
ExceptionInfo *exception)
{
...
while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
{
const char
*q = cursor;
ssize_t
offset = (ssize_t) (cursor-format);
cursor++; /* move past '%' */
if (*cursor == '%')
{
/*
Escaped %%.
*
OSV
CVE-2025-55298: ImageMagick is free and open-source software used for editing and manipulating digital images
osv·2025-08-26·CVSS 8.8
CVE-2025-55298 [HIGH] CVE-2025-55298: ImageMagick is free and open-source software used for editing and manipulating digital images
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
GHSA
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
ghsa·2025-08-26
CVE-2025-55298 [HIGH] CWE-123 ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
## Summary
A format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString` without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution.
## Details
### root cause
```
MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
Image *image,const char *format,int value,char *filename,
ExceptionInfo *exception)
{
...
while ((cursor=strchr(cursor,'%')) != (const char *) NULL)
{
const char
*q = cursor;
ssize_t
offset = (ssize_t) (cursor-format);
cursor++; /* move past '%' */
if (*cursor == '%')
{
/*
Escaped %%.
*
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2025-10-08·CVSS 7.5
CVE-2025-55298 [HIGH] ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: Several security issues were fixed in ImageMagick.
Woojin Park, Hojun Lee, Yougin Won and Siyeon Han discovered that
ImageMagick did not properly sanitize image file names. An attacker could
possibly use this issue to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2025-55298)
Lumina Mescuwa discovered that ImageMagick did not properly handle memory
when encoding BMP images. An attacker could possibly use this issue to
cause ImageMagick to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2025-57803)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ImageMagick: ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution
vendor_redhat·2025-08-26·CVSS 7.5
CVE-2025-55298 [HIGH] CWE-134 ImageMagick: ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution
ImageMagick: ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
A flaw was found in ImageMagick. Processing a file with a specially crafted name, specifically one with format specifiers such as %d, %o, or %x, can trigger a format string bug due to imprope
Debian
CVE-2025-55298: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...
vendor_debian·2025·CVSS 7.5
CVE-2025-55298 [HIGH] CVE-2025-55298: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
Scope: local
bookworm: resolved (fixed in 8:6.9.11.60+dfsg-1.6+deb12u4)
bullseye: resolved (fixed in 8:6.9.11.60+dfsg-1.3+deb11u6)
forky: resolved (fixed in 8:7.1.2.3+dfsg1-1)
sid: resolved (fixed in 8:7.1.2.3+dfsg1-1)
trixie: resolved (fixed in 8:7.1.1.43+dfsg1-1+deb13u2)
No detection rules found.
No public exploits indexed.
https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1https://lists.debian.org/debian-lts-announce/2025/09/msg00012.htmlhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645
2025-08-26
Published