{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-55298", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-12T16:15:30.238Z", "datePublished": "2025-08-26T17:20:17.112Z", "dateUpdated": "2025-08-26T20:36:40.704Z"}, "containers": {"cna": {"title": "ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-123", "lang": "en", "description": "CWE-123: Write-what-where Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-134", "lang": "en", "description": "CWE-134: Use of Externally-Controlled Format String", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645"}, {"name": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5"}, {"name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-2", "status": "affected"}, {"version": "< 6.9.13-28", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-26T17:20:17.112Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2."}], "source": {"advisory": "GHSA-9ccg-6pjw-x645", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-26T20:36:37.310582Z", "id": "CVE-2025-55298", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T20:36:40.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55298", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-26T20:36:37.310582Z"}}}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T20:36:32.620Z"}}], "cna": {"title": "ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution", "source": {"advisory": "GHSA-9ccg-6pjw-x645", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": "< 7.1.2-2"}, {"status": "affected", "version": "< 6.9.13-28"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5", "name": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1", "name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-123", "description": "CWE-123: Write-what-where Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-134", "description": "CWE-134: Use of Externally-Controlled Format String"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-26T17:20:17.112Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55298", "state": "PUBLISHED", "dateUpdated": "2025-08-26T20:36:40.704Z", "dateReserved": "2025-08-12T16:15:30.238Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-26T17:20:17.112Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "B123C6EB-CD31-49C5-96C3-41A560B87CD5", "versionEndExcluding": "6.9.13-28", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "84949254-D128-4390-9EBB-74CE243F85BB", "versionEndExcluding": "7.1.2-2", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2."}, {"lang": "es", "value": "ImageMagick es un software gratuito y de c\u00f3digo abierto que se utiliza para editar y manipular im\u00e1genes digitales. Antes de las versiones 6.9.13-28 y 7.1.2-2 de ImageMagick, exist\u00eda una vulnerabilidad de error de formato de cadena en la funci\u00f3n InterpretImageFilename, donde la entrada del usuario se pasaba directamente a FormatLocaleString sin la debida depuraci\u00f3n. Un atacante pod\u00eda sobrescribir regiones de memoria arbitrarias, lo que permit\u00eda una amplia gama de ataques, desde el desbordamiento de pila hasta la ejecuci\u00f3n remota de c\u00f3digo. Este problema se ha corregido en las versiones 6.9.13-28 y 7.1.2-2."}], "id": "CVE-2025-55298", "lastModified": "2025-09-02T18:10:39.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-26T18:15:47.583", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-123"}, {"lang": "en", "value": "CWE-134"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution", "id": "2391097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391097"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "(CWE-123|CWE-134)", "details": ["A flaw was found in ImageMagick. Processing a file with a specially crafted name, specifically one with format specifiers such as %d, %o, or %x, can trigger a format string bug due to improper input sanitization, resulting in a heap-based buffer over-read or arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "To prevent unintended interpretation of the filename as a format string, users can explicitly disable format string parsing by defining the filename as a literal. This can be done using the following directive:\nIn wrappers: filename:literal\nFrom the command line: -define filename:literal=true"}, "name": "CVE-2025-55298", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2025-08-26T17:20:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-55298\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55298\nhttps://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645\nhttps://github.com/dlemstra/Magick.NET/releases/tag/14.8.1"], "statement": "This issue can cause a heap-based buffer over-read or arbitrary code execution via a crafted filename. However, default Red Hat Enterprise Linux security features such as SELinux enforcement, Address Space Layout Randomization (ASLR) and memory protections reduce the possibility of exploitation, limiting the impact to a denial of service.\nAdditionally, ImageMagick is not shipped in Red Hat Enterprise Linux 8, 9 and 10. Therefore, these versions are not affected by this vulnerability.", "threat_severity": "Important"}