VYPR
← All advisories
High severityNVD Advisory· Published Aug 26, 2025· Updated Nov 3, 2025

ImageMagick Format String Bug in InterpretImageFilename leads to arbitrary code execution

CVE-2025-55298

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-55298 is a format string bug in ImageMagick's InterpretImageFilename function, enabling arbitrary memory overwrite and potential remote code execution.

This vulnerability is a format string bug in ImageMagick's InterpretImageFilename function. The function directly passes user-controlled input containing format specifiers like %d, %o, or %x to FormatLocaleString without sanitization [1][2]. This allows an attacker to supply a crafted filename that, when processed, treats parts of the input as format string arguments, leading to arbitrary memory writes [1].

Attack

Vector An attacker can exploit this by providing a malicious image filename to an application using ImageMagick. The vulnerability is triggered during image file processing when the InterpretImageFilename function parses the filename [1]. No authentication is required if the application processes attacker-supplied filenames [1]. The attack surface includes any service or tool that uses ImageMagick to handle user-provided image paths or filenames.

Impact

Successful exploitation enables an attacker to overwrite arbitrary memory regions [1]. This can lead to heap overflow, corruption of critical data structures, and ultimately remote code execution (RCE) in the context of the vulnerable process [1][2]. The severity is high due to the potential for complete system compromise.

The fix is included in ImageMagick versions 6.9.13-28 and 7.1.2-2 [1][2]. The patch introduces proper validation of format specifiers in the filename [4]. Users should upgrade to the patched versions immediately [1].

References
  1. Format String Bug in InterpretImageFilename might lead to arbitrary code execution
  2. NVD - CVE-2025-55298
  3. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9… · ImageMagick/ImageMagick@439b362

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.8.114.8.1
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.8.114.8.1
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.8.114.8.1
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.8.114.8.1
Magick.NET-Q16-HDRI-arm64NuGet
< 14.8.114.8.1
Magick.NET-Q16-HDRI-x64NuGet
< 14.8.114.8.1
Magick.NET-Q16-HDRI-x86NuGet
< 14.8.114.8.1
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.8.114.8.1
Magick.NET-Q16-OpenMP-x64NuGet
< 14.8.114.8.1
Magick.NET-Q16-arm64NuGet
< 14.8.114.8.1
Magick.NET-Q16-x64NuGet
< 14.8.114.8.1
Magick.NET-Q16-x86NuGet
< 14.8.114.8.1
Magick.NET-Q8-AnyCPUNuGet
< 14.8.114.8.1
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.8.114.8.1
Magick.NET-Q8-OpenMP-x64NuGet
< 14.8.114.8.1
Magick.NET-Q8-arm64NuGet
< 14.8.114.8.1
Magick.NET-Q8-x64NuGet
< 14.8.114.8.1
Magick.NET-Q8-x86NuGet
< 14.8.114.8.1

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <6.9.13-28 or <7.1.2-2+ 1 more
    • (no CPE)range: <6.9.13-28 or <7.1.2-2
    • (no CPE)range: < 7.1.2-2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.