Introduction
Malicious image files can compromise web servers and backend systems that rely on automated image processing. CVE-2025-55154 exposes a critical weakness in ImageMagick, a library used globally for editing and converting digital images in web applications, content management systems, and cloud services.
ImageMagick is a foundational open-source project in the graphics software ecosystem. It is integrated into thousands of products and platforms, powering everything from social media uploads to document conversion pipelines. Its security posture directly impacts a wide range of industries and user bases.
Technical Information
CVE-2025-55154 is a memory corruption vulnerability in ImageMagick's implementation of the MNG (Multiple-image Network Graphics) format. The flaw resides in the ReadOneMNGImage function within the coders/png.c source file. Specifically, the vulnerability is triggered by unsafe magnified size calculations that can overflow integer boundaries. When processing a specially crafted MNG file, arithmetic operations on image dimensions or related parameters can exceed the maximum value representable by the integer type in use.
This integer overflow results in incorrect buffer size calculations. Subsequent memory allocations may be too small for the actual data processed, leading to heap corruption. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). Attackers can exploit this by submitting malicious MNG images to systems using vulnerable ImageMagick versions, potentially leading to arbitrary code execution or application crashes.
No public vulnerable code snippet is available for this issue at the time of writing. The vulnerability was identified through advanced automated analysis by Google's Big Sleep AI research initiative.
Affected Systems and Versions
- ImageMagick versions prior to 6.9.13-27 (6.x branch)
- ImageMagick versions prior to 7.1.2-1 (7.x branch)
- All configurations processing MNG images using affected versions are vulnerable
Vendor Security History
ImageMagick has a history of vulnerabilities related to memory safety, integer overflows, and complex image format parsing. Previous issues include:
- CVE-2022-32546: Integer overflow in coders/pcl.c
- CVE-2020-27768: Integer overflow in MagickCore/quantum-private.h
- Multiple advisories published on the ImageMagick GitHub Security page
The vendor typically issues timely public advisories and patches for reported vulnerabilities. The project is maintained by a global community of contributors.