ghsa-vmhh-8rxq-fp9g
Vulnerability from github
Published
2025-07-23 20:03
Modified
2025-07-23 20:03
Severity ?
Summary
ImageMagick has XMP profile write that triggers hang due to unbounded loop
Details
Summary
Infinite lines occur when writing during a specific XMP file conversion command
Details
```
0 GetXmpNumeratorAndDenominator (denominator=, numerator=, value=) at MagickCore/profile.c:2578
1 GetXmpNumeratorAndDenominator (denominator=, numerator=, value=720000000000000) at MagickCore/profile.c:2564
2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605
3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651
4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288
5 0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=, images@entry=0x555555bb9ea0, filename=, exception=0x555555b7bea0) at MagickCore/constitute.c:1575
6 0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write", arg1n=arg1n@entry=0x7fffffffe2c7 "a.mng", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993
7 0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe "-write") at MagickWand/operation.c:5473
8 0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758
9 0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392
10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 , argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177
11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162
12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 , argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58
13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 , argc=3, argv=0x7fffffffdfa8, init=, fini=, rtld_fini=, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392
14 0x000055555559f535 in _start ()
static void GetXmpNumeratorAndDenominator(double value,
unsigned long numerator,unsigned long denominator)
{
double
df;
numerator=0;
denominator=1;
if (value <= MagickEpsilon)
return;
numerator=1;
df=1.0;
while(fabs(df - value) > MagickEpsilon)
{
if (df < value)
(numerator)++;
else
{
(denominator)++;
numerator=(unsigned long) (value(denominator));
}
df=numerator/(double)denominator;
}
}
``
In this code, the loopwhile(fabs(df - value) > MagickEpsilon)` keeps repeating endlessly.
PoC
magick hang a.mng
https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing
Impact
XMP profile write triggers hang due to unbounded loop
credits
Team Pay1oad DVE
Reporter : Shinyoung Won (with contributions from WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae, Kyusang Han, JaeHun Gou)
yosimich(@yosiimich) Shinyoung Won of SSA Lab
e-mail : [yosimich123@gmail.com]
Woojin Jeon
Gtihub : brainoverflow
e-mail : [root@brainoverflow.kr]
WooJin Park
GitHub : jin-156
e-mail : [1203kids@gmail.com]
Who4mI(@GAP-dev) Lee DongHa of SSA Lab
Github: GAP-dev
e-mail : [ceo@zeropointer.co.kr]
JungWoo Park
Github : JungWooJJING
e-mail : [cuby5577@gmail.com]
Juwon Chae
Github : I_mho
e-mail : [wndnjs4698@naver.com]
Kyusang Han
Github : T1deSEC
e-mail : [hksjoe0081@gmail.com]
JaeHun Gou
Github : P2GONE
e-mail : [charly20@naver.com]
Commits
Fixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53015"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-23T20:03:41Z",
"nvd_published_at": "2025-07-14T20:15:28Z",
"severity": "HIGH"
},
"details": "### Summary\nInfinite lines occur when writing during a specific XMP file conversion command\n### Details\n```\n#0 GetXmpNumeratorAndDenominator (denominator=\u003coptimized out\u003e, numerator=\u003coptimized out\u003e, value=\u003coptimized out\u003e) at MagickCore/profile.c:2578\n#1 GetXmpNumeratorAndDenominator (denominator=\u003csynthetic pointer\u003e, numerator=\u003csynthetic pointer\u003e, value=720000000000000) at MagickCore/profile.c:2564\n#2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605\n#3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651\n#4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288\n#5 0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=\u003coptimized out\u003e, images@entry=0x555555bb9ea0, filename=\u003coptimized out\u003e, exception=0x555555b7bea0) at MagickCore/constitute.c:1575\n#6 0x00005555559650c4 in CLINoImageOperator (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe \"-write\", arg1n=arg1n@entry=0x7fffffffe2c7 \"a.mng\", arg2n=arg2n@entry=0x0) at MagickWand/operation.c:4993\n#7 0x0000555555974579 in CLIOption (cli_wand=cli_wand@entry=0x555555b85790, option=option@entry=0x5555559beebe \"-write\") at MagickWand/operation.c:5473\n#8 0x00005555559224aa in ProcessCommandOptions (cli_wand=cli_wand@entry=0x555555b85790, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, index=index@entry=1) at MagickWand/magick-cli.c:758\n#9 0x000055555592276d in MagickImageCommand (image_info=image_info@entry=0x555555b824a0, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=metadata@entry=0x7fffffffbc10, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:1392\n#10 0x00005555559216a0 in MagickCommandGenesis (image_info=image_info@entry=0x555555b824a0, command=command@entry=0x555555922640 \u003cMagickImageCommand\u003e, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8, metadata=0x0, exception=exception@entry=0x555555b7bea0) at MagickWand/magick-cli.c:177\n#11 0x000055555559f76b in MagickMain (argc=3, argv=0x7fffffffdfa8) at utilities/magick.c:162\n#12 0x00007ffff700fd90 in __libc_start_call_main (main=main@entry=0x55555559aec0 \u003cmain\u003e, argc=argc@entry=3, argv=argv@entry=0x7fffffffdfa8) at ../sysdeps/nptl/libc_start_call_main.h:58\n#13 0x00007ffff700fe40 in __libc_start_main_impl (main=0x55555559aec0 \u003cmain\u003e, argc=3, argv=0x7fffffffdfa8, init=\u003coptimized out\u003e, fini=\u003coptimized out\u003e, rtld_fini=\u003coptimized out\u003e, stack_end=0x7fffffffdf98) at ../csu/libc-start.c:392\n#14 0x000055555559f535 in _start ()\n```\n```\nstatic void GetXmpNumeratorAndDenominator(double value,\n unsigned long *numerator,unsigned long *denominator)\n{\n double\n df;\n\n *numerator=0;\n *denominator=1;\n if (value \u003c= MagickEpsilon)\n return;\n *numerator=1;\n df=1.0;\n while(fabs(df - value) \u003e MagickEpsilon)\n {\n if (df \u003c value)\n (*numerator)++;\n else\n {\n (*denominator)++;\n *numerator=(unsigned long) (value*(*denominator));\n }\n df=*numerator/(double)*denominator;\n }\n}\n```\nIn this code, the loop `while(fabs(df - value) \u003e MagickEpsilon)` keeps repeating endlessly.\n\n### PoC\n`magick hang a.mng`\nhttps://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing\n\n### Impact\nXMP profile write triggers hang due to unbounded loop\n\n\n### credits\n**Team Pay1oad DVE** \n\n**Reporter** : **Shinyoung Won** (with contributions from **WooJin Park, DongHa Lee, JungWoo Park, Woojin Jeon, Juwon Chae**, **Kyusang Han, JaeHun Gou**)\n\n**yosimich(@yosiimich**) **Shinyoung Won** of SSA Lab\n\ne-mail : [yosimich123@gmail.com]\n\n**Woojin Jeon**\n\nGtihub : brainoverflow\n\ne-mail : [root@brainoverflow.kr]\n\n**WooJin Park**\n\nGitHub : jin-156\n\ne-mail : [1203kids@gmail.com]\n\n**Who4mI(@GAP-dev) Lee DongHa of SSA Lab**\n\nGithub: GAP-dev\n\ne-mail : [ceo@zeropointer.co.kr]\n\n**JungWoo Park**\n\nGithub : JungWooJJING\n\ne-mail : [cuby5577@gmail.com]\n\n**Juwon Chae** \n\nGithub : I_mho\n\ne-mail : [wndnjs4698@naver.com]\n\n**Kyusang Han**\n\nGithub : T1deSEC\n\ne-mail : [hksjoe0081@gmail.com]\n\n**JaeHun Gou**\n\nGithub : P2GONE\n\ne-mail : [charly20@naver.com]\n\n### Commits\nFixed in: https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0 and https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26",
"id": "GHSA-vmhh-8rxq-fp9g",
"modified": "2025-07-23T20:03:42Z",
"published": "2025-07-23T20:03:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vmhh-8rxq-fp9g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53015"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/229fa96a988a21d78318bbca61245a6ed1ee33a0"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/38631605e6ab744548a561797472cf8648bcfe26"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1iegkwlTjqnJTtM4XkiheYsjKsC6pxtId/view?usp=sharing"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has XMP profile write that triggers hang due to unbounded loop"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.