Cyber Posture

CVE-2025-27795

Medium

Published: 07 March 2025

Published
07 March 2025
Modified
29 January 2026
KEV Added
Patch
CVSS Score 4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0008 23.3th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27795 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Graphicsmagick Graphicsmagick. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-6 Resource Availability good match
prevent

SC-6 directly mandates resource limits and allocation management techniques to prevent exhaustion from oversized image dimensions in ReadJXLImage.

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs like JXL image dimensions to reject crafted files that trigger unbounded resource allocation.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely flaw remediation by patching GraphicsMagick to version 1.3.46 or later, which adds the missing image dimension limits.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability enables local resource exhaustion via a crafted JXL image in GraphicsMagick, directly facilitating Endpoint Denial of Service through Application or System Exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits.

Deeper analysisAI

CVE-2025-27795 is a vulnerability in the ReadJXLImage function within the JXL component of GraphicsMagick versions before 1.3.46, where image dimension resource limits are lacking. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 4.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L), indicating a medium-severity problem primarily affecting availability.

Local attackers can exploit this flaw with low attack complexity, requiring no privileges or user interaction. By providing a specially crafted JXL image, they can trigger resource exhaustion, leading to a denial-of-service condition with limited availability impact and changed scope due to interactions with the JXL library.

GraphicsMagick mitigates this vulnerability in version 1.3.46, as documented in the project's NEWS file and via commit 9bbae7314e3c3b19b830591010ed90bb136b9c42. Additional context from libjxl GitHub issues (e.g., #3792 and #3793) and an OSS-Fuzz report (#42536330) highlights discovery through fuzzing efforts.

Details

CWE(s)
CWE-770

Affected Products

graphicsmagick
graphicsmagick
≤ 1.3.46

CVEs Like This One

CVE-2025-27796Same product: Graphicsmagick Graphicsmagick
CVE-2026-33256Shared CWE-770
CVE-2026-26313Shared CWE-770
CVE-2025-27219Shared CWE-770
CVE-2026-24458Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2026-34513Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2025-21521Shared CWE-770

References