VYPR
← All advisories
Low severityNVD Advisory· Published Sep 5, 2025· Updated Nov 3, 2025

ImageMagick BlobStream Forward-Seek Under-Allocation

CVE-2025-57807

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. ImageMagick versions lower than 14.8.2 include insecure functions: SeekBlob(), which permits advancing the stream offset beyond the current end without increasing capacity, and WriteBlob(), which then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required. This is fixed in version 14.8.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In ImageMagick before 14.8.2, SeekBlob() can skip past buffer end, then WriteBlob() under-allocates, causing a deterministic heap out-of-bounds write.

Vulnerability

Overview CVE-2025-57807 is a heap out-of-bounds write vulnerability in ImageMagick's BlobStream I/O subsystem (MagickCore/blob.c). The root cause is a contract mismatch between the SeekBlob() and WriteBlob() functions for memory-backed blobs. SeekBlob() allows advancing the stream offset beyond the current end of the allocated buffer without increasing the buffer's capacity [1]. When WriteBlob() is subsequently called, it calculates the required size using an amortized growth formula (quantum + length) instead of ensuring the new extent covers offset + length. This leads to reallocation that is smaller than needed [1][4].

Exploitation

Path An attacker can reach this vulnerability by providing a crafted image file that triggers a seek to a large offset (e.g., 256 MiB) followed by a small write. No authentication, special policies, or 2^64 arithmetic overflow are required [1]. The vulnerability is reachable over the network if ImageMagick processes untrusted images, as is common in web applications that use the library [2].

Impact

Successful exploitation results in a deterministic heap write where an attacker-controlled number of bytes are written to a heap location determined by the attacker's chosen offset. This memory corruption can potentially lead to arbitrary code execution or other serious security impacts [1]. The CVSS v3.1 base score is 9.8 (Critical) [1].

Mitigation

The vulnerability is fixed in ImageMagick version 14.8.2 [1][2]. The fix changes the reallocation calculation in WriteBlob() to use extent = offset + length + quantum, ensuring the buffer is sized to cover the actual write target [4]. Users should update to the patched version or apply the corresponding commit.

References
  1. ImageMagick BlobStream Forward-Seek Under-Allocation → Heap OOB Write (WriteBlob)
  2. NVD - CVE-2025-57807
  3. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2… · ImageMagick/ImageMagick@077a417

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-x64NuGet
< 14.8.214.8.2
Magick.NET-Q8-x64NuGet
< 14.8.214.8.2
Magick.NET-Q16-HDRI-x64NuGet
< 14.8.214.8.2
Magick.NET-Q8-OpenMP-x64NuGet
< 14.8.214.8.2
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.8.214.8.2
Magick.NET-Q16-OpenMP-x64NuGet
< 14.8.214.8.2
Magick.NET-Q8-arm64NuGet
< 14.8.214.8.2
Magick.NET-Q16-arm64NuGet
< 14.8.214.8.2
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.8.214.8.2
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.8.214.8.2
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.8.214.8.2
Magick.NET-Q16-HDRI-arm64NuGet
< 14.8.214.8.2

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.