4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65955

GHSA ID

GHSA-q3hc-j9x5-mp9m

EPSS Score

0.00012%

CWE

CWE-415

Published

12/3/2025

Updated

12/3/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65955

CVE-2025-65955: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family

We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string.

Vulnerability Details

Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory.
DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption.

if (family_.length() == 0)
  {
    _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
    DestroyString(RemoveImageOption(imageInfo(),"family"));
  }

CWE-416 (Use After Free): _drawInfo->font is left dangling yet still reachable through the Options object.
CWE-415 (Double Free): DrawInfo teardown frees _drawInfo->font again, provoking allocator aborts.

Affected Versions

Introduced by commit 6409f34d637a34a1c643632aa849371ec8b3b5a8 (“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313).
Present in all releases that include that commit, at least ImageMagick 7.0.1-0 and later (likely late 6.9 builds with Magick++ font family support as well). Older releases without fontFamily are unaffected.

Command Line Triggerability This vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the Options::fontFamily() method. The command-line utilities (such as convert, magick, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly call Options::fontFamily() with an empty string in a way that would trigger the use-after-free condition.

Proposed Fix

diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp
@@ void Magick::Options::fontFamily(const std::string &family_)
-      _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font);
+      _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);

This frees only the actual family string, leaving _drawInfo->font untouched. Optionally nulling _drawInfo->font when clearing font() itself maintains allocator hygiene.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65955

CVE-2025-65955:

4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65955

GHSA ID

GHSA-q3hc-j9x5-mp9m

EPSS Score

0.00012%

CWE

CWE-415

Published

12/3/2025

Updated

12/3/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions
Magick.NET-Q16-AnyCPU	nuget	<= 14.9.1
Magick.NET-Q16-HDRI-AnyCPU	nuget	<= 14.9.1
Magick.NET-Q16-HDRI-OpenMP-arm64	nuget	<= 14.9.1
Magick.NET-Q16-HDRI-OpenMP-x64	nuget	<= 14.9.1
Magick.NET-Q16-HDRI-arm64	nuget	<= 14.9.1
Magick.NET-Q16-HDRI-x64	nuget	<= 14.9.1
Magick.NET-Q16-HDRI-x86	nuget	<= 14.9.1
Magick.NET-Q16-OpenMP-arm64	nuget	<= 14.9.1
Magick.NET-Q16-OpenMP-x64	nuget	<= 14.9.1
Magick.NET-Q16-arm64	nuget	<= 14.9.1
Magick.NET-Q16-x64	nuget	<= 14.9.1
Magick.NET-Q16-x86	nuget	<= 14.9.1
Magick.NET-Q8-AnyCPU	nuget	<= 14.9.1
Magick.NET-Q8-OpenMP-arm64	nuget	<= 14.9.1
Magick.NET-Q8-OpenMP-x64	nuget	<= 14.9.1
Magick.NET-Q8-arm64	nuget	<= 14.9.1
Magick.NET-Q8-x64	nuget	<= 14.9.1
Magick.NET-Q8-x86	nuget	<= 14.9.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the provided security advisory and the associated git commits. The introducing commit 6409f34d637a34a1c643632aa849371ec8b3b5a8 added the Magick::Options::fontFamily function with the flawed logic. The fixing commit 6f81eb15f822ad86e8255be75efad6f9762c32f8 directly corrects the erroneous memory management call within this specific function. The vulnerability is a use-after-free that occurs when Options::fontFamily is called with an empty string, causing it to free _drawInfo->font instead of _drawInfo->family, leaving a dangling pointer that can be double-freed or used after being freed.

Vulnerable functions

Magick::Options::fontFamily

Magick++/lib/Options.cpp

When an empty string is passed to this function, it incorrectly frees the `_drawInfo->font` pointer and assigns the dangling pointer to `_drawInfo->family`. This leads to a use-after-free condition, as `_drawInfo->font` can be freed again later or dereferenced, causing heap corruption or a crash.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65955: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family

CVE-2025-65955:

4.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

4.9

4.9

Basic Information

Basic Information

CVE-2025-65955: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI