ImageMagick has XMP profile write that triggers hang due to unbounded loop

Vulnerability

Description

In ImageMagick versions prior to 7.1.2-0, a vulnerability exists in the SyncXmpProfile function within profile.c. The bug is caused by a missing return statement in GetXmpNumeratorAndDenominator. When processing XMP metadata with a specific numerator/denominator value (e.g., 720000000000000), the function enters an infinite loop, never returning [3][4]. This infinite loop occurs during the writing phase of an XMP file conversion command [2].

Exploitation

The vulnerability can be triggered by providing a specially crafted XMP profile as part of an image file. The attack requires no authentication beyond the ability to pass an image file to ImageMagick for conversion or writing. An attacker could exploit this by submitting a malicious image to a service that uses ImageMagick to process user-uploaded images, such as a web application or a scripted pipeline [1][4]. The issue is in the write path, so any command that writes an image with a crafted XMP profile (e.g., convert input.png -write output.png) would trigger the hang [4].

Impact

When exploited, the infinite loop causes ImageMagick to hang indefinitely, consuming CPU resources and never completing the operation. This can lead to a denial of service (DoS) condition, making the application or service unresponsive. The vulnerability does not provide code execution or data theft but can render image processing services unavailable [2][4].

Mitigation

The issue is fixed in ImageMagick version 7.1.2-0 [2][3]. Users are advised to upgrade to this version or later. For users who cannot upgrade, workarounds include restricting or validating user-supplied image metadata, or implementing timeouts for ImageMagick processes. The vulnerability was reported as a security advisory with GitHub (GHSA-vmhh-8rxq-fp9g) [4].