Cyber Resilience

CVE-2025-55298

HighPublic PoC

Published: 26 August 2025

Published
26 August 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0100 77.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55298 is a high-severity Write-what-where Condition (CWE-123) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

ImageMagick is an open-source image editing and manipulation library affected by a format string vulnerability in the InterpretImageFilename function. Prior to versions 6.9.13-28 and 7.1.2-2, the function passes unsanitized user input directly to FormatLocaleString, enabling attackers to trigger memory corruption. The flaw is tracked under CWE-134 and CWE-123 and carries a CVSS 3.1 score of 7.5.

An attacker with low privileges and network access can supply a crafted image filename or metadata that overwrites arbitrary memory regions. Successful exploitation can progress from heap corruption to remote code execution, although the attack requires high complexity due to the AC:H rating.

Official patches are available in ImageMagick 6.9.13-28 and 7.1.2-2, with the fix documented in commit 439b362b93c074eea6c3f834d84982b43ef057d5 and the corresponding GitHub Security Advisory GHSA-9ccg-6pjw-x645. Downstream projects such as Magick.NET 14.8.1 and Debian LTS have issued coordinated updates that incorporate the same remediation.

EPSS remains flat at 0.01 with no material increase after disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization.…

more

An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Format string vuln in ImageMagick enables direct RCE via crafted network input to public image-processing services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26284Same product: Imagemagick Imagemagick
CVE-2025-53101Same product: Imagemagick Imagemagick
CVE-2026-23876Same product: Imagemagick Imagemagick
CVE-2026-25987Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-24481Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25794Same product: Imagemagick Imagemagick
CVE-2026-25969Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-28 · 7.0.0-0 — 7.1.2-2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and remediation of software flaws like the format string vulnerability in ImageMagick via patching to fixed versions.

prevent

Implements memory protections such as address space layout randomization and non-executable memory to mitigate heap overflows and arbitrary memory corruption from the format string bug.

prevent

Requires validation and sanitization of user inputs prior to processing by ImageMagick's InterpretImageFilename to block malicious format strings.

References