logo

Database

Out-of-bounds read In magick.net-q16-anycpu

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 23

10

Aliases

1. CVE-2025-552982. NVD-2025-552983. OSV-2025-552984. OSV-DEBIAN-2025-552985. GHSA-9ccg-6pjw-x6456. GCVE-2025-552987. lists.debian.org8. SECURITY-TRACKER-CVE-2025-55298

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x6452. https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d53. https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.