CVE-2025-55298
Published: 26 August 2025
Summary
CVE-2025-55298 is a high-severity Write-what-where Condition (CWE-123) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
ImageMagick is an open-source image editing and manipulation library affected by a format string vulnerability in the InterpretImageFilename function. Prior to versions 6.9.13-28 and 7.1.2-2, the function passes unsanitized user input directly to FormatLocaleString, enabling attackers to trigger memory corruption. The flaw is tracked under CWE-134 and CWE-123 and carries a CVSS 3.1 score of 7.5.
An attacker with low privileges and network access can supply a crafted image filename or metadata that overwrites arbitrary memory regions. Successful exploitation can progress from heap corruption to remote code execution, although the attack requires high complexity due to the AC:H rating.
Official patches are available in ImageMagick 6.9.13-28 and 7.1.2-2, with the fix documented in commit 439b362b93c074eea6c3f834d84982b43ef057d5 and the corresponding GitHub Security Advisory GHSA-9ccg-6pjw-x645. Downstream projects such as Magick.NET 14.8.1 and Debian LTS have issued coordinated updates that incorporate the same remediation.
EPSS remains flat at 0.01 with no material increase after disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25836
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization.…
more
An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Format string vuln in ImageMagick enables direct RCE via crafted network input to public image-processing services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and remediation of software flaws like the format string vulnerability in ImageMagick via patching to fixed versions.
Implements memory protections such as address space layout randomization and non-executable memory to mitigate heap overflows and arbitrary memory corruption from the format string bug.
Requires validation and sanitization of user inputs prior to processing by ImageMagick's InterpretImageFilename to block malicious format strings.