Format String Bug in ImageMagick Affects Multiple Versions
CVE-2025-55298

7.5HIGH

Key Information:

Vendor

Imagemagick
Status
Imagemagick
Vendor
CVE Published:
26 August 2025

What is CVE-2025-55298?

A format string bug vulnerability exists in the InterpretImageFilename function in ImageMagick. This issue allows an attacker to pass user input directly into FormatLocaleString without adequate sanitization, leading to memory corruption. Exploitation of this vulnerability could result in heap overflow and enable attackers to carry out remote code execution, putting systems at significant risk if they run versions prior to 6.9.13-28 or 7.1.2-2. Users are urged to update to the latest versions to mitigate this security concern.

Affected Version(s)

ImageMagick < 7.1.2-2 < 7.1.2-2

ImageMagick < 6.9.13-28 < 6.9.13-28

References

https://github.com/ImageMagick/ImageMagick/security/advis...
x_refsource_CONFIRM
https://github.com/ImageMagick/ImageMagick/commit/439b362...
x_refsource_MISC
https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.