7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53015

GHSA ID

GHSA-vmhh-8rxq-fp9g

EPSS Score

0.16299%

CWE

CWE-835

Published

7/23/2025

Updated

7/23/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53015

CVE-2025-53015: ImageMagick has XMP profile write that triggers hang due to unbounded loop

Summary

Infinite lines occur when writing during a specific XMP file conversion command

Details

#0  GetXmpNumeratorAndDenominator (denominator=<optimized out>, numerator=<optimized out>, value=<optimized out>) at MagickCore/profile.c:2578
#1  GetXmpNumeratorAndDenominator (denominator=<synthetic pointer>, numerator=<synthetic pointer>, value=720000000000000) at MagickCore/profile.c:2564
#2  SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605
#3  0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651
#4  0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288
#5  0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=<optimized out>, images@entry=0x555555bb9ea0, filename=<optimized out>, exception=0x555555b7bea0) at MagickCore/constitute.c:1575
#6  0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write", arg1n=arg1n@entry=0x7fffffffe2c7 "a.mng", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993
#7  0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write") at MagickWand/operation.c:5473
#8  0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758
#9  0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392
#10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 <MagickImageCommand>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177
#11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162
#12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 <main>, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 <main>, argc=3, argv=0x7fffffffdfa8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392
#14 0x000055555559f535 in _start ()

static void GetXmpNumeratorAndDenominator(double value,
  unsigned long *numerator,unsigned long *denominator)
{
  double
    df;

  *numerator=0;
  *denominator=1;
  if (value <= MagickEpsilon)
    return;
  *numerator=1;
  df=1.0;
  while(fabs(df - value) > MagickEpsilon)
  {
    if (df < value)
      (*numerator)++;
    else
      {
        (*denominator)++;
        *numerator=(unsigned long) (value*(*denominator));
      }
    df=*numerator/(double)*denominator;
  }
}

In this code, the loop while(fabs(df - value) > MagickEpsilon) keeps repeating endlessly.

PoC

magick hang a.mng https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing

Impact

XMP profile write triggers hang due to unbounded loop

credits

Team Pay1oad DVE

Reporter : Shinyoung Won (with contributions from WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae, Kyusang Han, JaeHun Gou)

yosimich(@yosiimich) Shinyoung Won of SSA Lab

e-mail : [yosimich123@gmail.com]

Woojin Jeon

Gtihub : brainoverflow

e-mail : [root@brainoverflow.kr]

WooJin Park

GitHub : jin-156

e-mail : [1203kids@gmail.com]

Who4mI(@GAP-dev) Lee DongHa of SSA Lab

Github: GAP-dev

e-mail : [ceo@zeropointer.co.kr]

JungWoo Park

Github : JungWooJJING

e-mail : [cuby5577@gmail.com]

Juwon Chae

Github : I_mho

e-mail : [wndnjs4698@naver.com]

Kyusang Han

Github : T1deSEC

e-mail : [hksjoe0081@gmail.com]

JaeHun Gou

Github : P2GONE

e-mail : [charly20@naver.com]

Commits

Fixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53015

GHSA ID

GHSA-vmhh-8rxq-fp9g

EPSS Score

0.16299%

CWE

CWE-835

Published

7/23/2025

Updated

7/23/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Magick.NET-Q8-AnyCPU	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-AnyCPU	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-HDRI-AnyCPU	nuget	< 14.7.0	14.7.0
Magick.NET-Q8-x64	nuget	< 14.7.0	14.7.0
Magick.NET-Q8-arm64	nuget	< 14.7.0	14.7.0
Magick.NET-Q8-x86	nuget	< 14.7.0	14.7.0
Magick.NET-Q8-OpenMP-x64	nuget	< 14.7.0	14.7.0
Magick.NET-Q8-OpenMP-arm64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-x64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-arm64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-x86	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-OpenMP-x64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-OpenMP-arm64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-OpenMP-x86	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-HDRI-x64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-HDRI-arm64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-HDRI-x86	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-HDRI-OpenMP-x64	nuget	< 14.7.0	14.7.0
Magick.NET-Q16-HDRI-OpenMP-arm64	nuget	< 14.7.0	14.7.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the GetXmpNumeratorAndDenominator function in MagickCore/profile.c. The function is designed to find the numerator and denominator of a floating-point number. However, for certain large input values, the logic within the while loop fails to converge, leading to an infinite loop and a denial-of-service (DoS) condition. The provided stack trace clearly points to this function as the culprit. The two commits, 229fa96a988a21d78318bbca61245a6ed1ee33a0 and 38631605e6ab744548a561797472cf8648bcfe26, directly address this issue by adding boundary checks and special handling for integer values before the loop begins, thus preventing the hang. The first commit adds the initial checks, and the second commit adds a missing return statement to ensure the fix is effective.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry In*init* lin*s o**ur w**n writin* *urin* * sp**i*i* XMP *il* *onv*rsion *omm*n* ### **t*ils ``` #* **tXmpNum*r*tor*n***nomin*tor (**nomin*tor=<optimiz** out>, num*r*tor=<optimiz** out>, v*lu*=<optimiz** out>) *t M**i*k*or*/pro*il*.*:****

Reasoning

T** vuln*r**ility li*s in t** `**tXmpNum*r*tor*n***nomin*tor` *un*tion in `M**i*k*or*/pro*il*.*`. T** *un*tion is **si*n** to *in* t** num*r*tor *n* **nomin*tor o* * *lo*tin*-point num**r. *ow*v*r, *or **rt*in l*r** input v*lu*s, t** lo*i* wit*in t**

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-53015: ImageMagick has XMP profile write that triggers hang due to unbounded loop

Summary

Details

PoC

Impact

credits

Commits

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI