Cyber Resilience

CVE-2025-27795

Medium

Published: 07 March 2025

Published
07 March 2025
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0008 23.5th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27795 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Graphicsmagick Graphicsmagick. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-27795 is a vulnerability in the ReadJXLImage function within the JXL component of GraphicsMagick versions before 1.3.46, where image dimension resource limits are lacking. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 4.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L), indicating a medium-severity problem primarily affecting availability.

Local attackers can exploit this flaw with low attack complexity, requiring no privileges or user interaction. By providing a specially crafted JXL image, they can trigger resource exhaustion, leading to a denial-of-service condition with limited availability impact and changed scope due to interactions with the JXL library.

GraphicsMagick mitigates this vulnerability in version 1.3.46, as documented in the project's NEWS file and via commit 9bbae7314e3c3b19b830591010ed90bb136b9c42. Additional context from libjxl GitHub issues (e.g., #3792 and #3793) and an OSS-Fuzz report (#42536330) highlights discovery through fuzzing efforts.

EU & UK References

Vulnerability details

ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables local resource exhaustion via a crafted JXL image in GraphicsMagick, directly facilitating Endpoint Denial of Service through Application or System Exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27796Same product: Graphicsmagick Graphicsmagick
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770

Affected Assets

graphicsmagick
graphicsmagick
≤ 1.3.46

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-6 directly mandates resource limits and allocation management techniques to prevent exhaustion from oversized image dimensions in ReadJXLImage.

prevent

SI-10 requires validation of information inputs like JXL image dimensions to reject crafted files that trigger unbounded resource allocation.

prevent

SI-2 ensures timely flaw remediation by patching GraphicsMagick to version 1.3.46 or later, which adds the missing image dimension limits.

References