VYPR
← All advisories
Moderate severityOSV Advisory· Published Dec 30, 2025· Updated Dec 30, 2025

Magick's failure to limit the depth of SVG file reads caused a DoS attack.

CVE-2025-68618

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing recursion-depth limit in ImageMagick before 7.1.2-12 allows a crafted SVG file to cause a denial of service via stack overflow.

Vulnerability

Overview

ImageMagick versions prior to 7.1.2-12 contain a denial-of-service (DoS) vulnerability in the SVG parsing code. The root cause is the absence of a recursion-depth check when processing nested SVG elements. The SVGStartElement and MSLStartElement functions recursively` call themselves without limiting the nesting depth, leading to uncontrolled stack growth when a malicious SVG file with deeply nested elements is parsed [1][2][3].

Exploitation

An attacker can exploit this vulnerability by crafting a specially designed SVG file that contains an excessive number of nested elements (e.g., ` tags). When ImageMagick reads this file using any of its tools or APIs (such as magick or convert`), the recursive parsing exhausts the call stack, causing a crash. No authentication or special privileges are required; the attack vector is local or remote if the application processes user-supplied SVG files [4].

Impact

Successful exploitation results in a denial of service. The application crashes with a stack overflow (e.g., exit code -1073741571 on Windows). This affects all applications that use ImageMagick to parse SVG files, including web services, image processing pipelines, and desktop tools [4].

Mitigation

The vulnerability is fixed in ImageMagick version 7.1.2-12. The patch introduces a depth counter and a check against MagickMaxRecursionDepth in both MSLStartElement and SVGStartElement, stopping parsing when the limit is exceeded [3]. Users should upgrade to the patched version or apply the commit 6f431d445f3ddd609c004a1dde617b0a73e60beb. No workaround is available other than avoiding processing untrusted SVG files [2][4].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2025-68618
  3. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p… · ImageMagick/ImageMagick@6f431d4
  4. Magick's failure to limit the depth of SVG file reads caused a DoS attack.

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.114.10.1
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.114.10.1
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.114.10.1
Magick.NET-Q16-x86NuGet
< 14.10.114.10.1
Magick.NET-Q8-AnyCPUNuGet
< 14.10.114.10.1
Magick.NET-Q8-x86NuGet
< 14.10.114.10.1
Magick.NET-Q8-arm64NuGet
< 14.10.114.10.1
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.114.10.1
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.114.10.1
Magick.NET-Q16-x64NuGet
< 14.10.114.10.1
Magick.NET-Q16-arm64NuGet
< 14.10.114.10.1
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.114.10.1
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.114.10.1
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.114.10.1
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.114.10.1
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.114.10.1
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.114.10.1

Affected products

2
  • ImageMagick/ImagemagickOSV2 versions
    7.0.1-0, 7.0.1-1, 7.0.1-10, …+ 1 more
    • (no CPE)range: 7.0.1-0, 7.0.1-1, 7.0.1-10, …
    • (no CPE)range: <7.1.2-12

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.