ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define

Vulnerability

ImageMagick (including Magick.NET packages) versions prior to 14.13.1 contain an out-of-bounds read vulnerability in the connected components operation. An attacker can trigger this by passing a malformed or invalid value to the -define connected-components:keep-top option, causing the component to read heap memory beyond the bounds of the allocated buffer [1][2]. The bug affects the core image processing library and all downstream NuGet packages [2].

Exploitation

An attacker needs the ability to supply a crafted image or command-line argument that sets the connected-components:keep-top define to an invalid value. No authentication or special privileges are required if the attacker can cause a victim (or automated service) to process the malicious input using an affected version of ImageMagick. The attack complexity is low and no user interaction beyond processing the image is required [3].

Impact

Successful exploitation results in a heap buffer over-read, potentially leaking confidential data (confidentiality impact) and/or causing a crash (availability impact). The CVSS v3.1 base score is 6.5 (Moderate), indicating a medium-severity information disclosure and availability risk [3]. The scope is unchanged, meaning the impact remains within the ImageMagick process itself.

Mitigation

All Magick.NET NuGet packages (e.g., Magick.NET-Q16-AnyCPU) should be updated to version 14.13.1 or later, which contains the fix [2]. Users of the native ImageMagick library should update to the latest release from the official repository [1]. No workarounds are documented; applying the patch is the recommended course of action.