CVE-2025-57803 Overview
CVE-2025-57803 is a 32-bit integer overflow vulnerability in the BMP encoder of ImageMagick, an open-source image manipulation toolkit. The flaw affects 32-bit builds prior to versions 6.9.13-28 and 7.1.2-2. The scanline-stride computation overflows, collapsing bytes_per_line to a small value while the per-row writer still emits 3 × width bytes for 24-bpp images. This mismatch causes the first row to write past its allocated heap slot with attacker-controlled bytes. The result is a heap buffer overflow primitive [CWE-122] inside common automatic image conversion pipelines.
Critical Impact
Attackers can trigger heap corruption with controlled bytes by submitting a crafted image to any service that auto-converts inputs to BMP, enabling potential remote code execution.
Affected Products
- ImageMagick 6.x prior to 6.9.13-28 (32-bit builds)
- ImageMagick 7.x prior to 7.1.2-2 (32-bit builds)
- Downstream distributions including Debian LTS and Magick.NET prior to 14.8.1
Discovery Timeline
- 2025-08-26 - CVE-2025-57803 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-57803
Vulnerability Analysis
The vulnerability resides in coders/bmp.c, the BMP encoder module of ImageMagick. When writing 24-bits-per-pixel BMP output, the encoder calculates a scanline stride (bytes_per_line) that must be aligned to a 4-byte boundary. On 32-bit builds, this multiplication overflows a size_t when the width is sufficiently large. The overflow truncates the stride to a tiny value, while the row-writing loop continues to emit the full 3 × width bytes per scanline. The base pointer for each row then advances by the small overflowed stride, so writes for the first row spill into adjacent heap memory.
Because the bytes written are the pixel values supplied by the attacker through the source image, this provides a heap corruption primitive with controlled content. Many web services, document processors, and thumbnail generators auto-convert uploads through ImageMagick, exposing the vulnerable code path without authentication beyond standard upload privileges.
Root Cause
The root cause is the absence of an overflow check in the width × bytes_per_pixel multiplication used to derive bytes_per_line. The patch introduces a BMPOverflowCheck helper that validates the product against UINT32_MAX before allocating the row buffer.
Attack Vector
An attacker submits a crafted image with dimensions chosen to overflow the 32-bit stride computation when re-encoded as BMP. Any pipeline that calls ImageMagick to convert uploaded media to BMP on a 32-bit build triggers the corruption. Exploitation requires low privileges and no user interaction.
// Patch excerpt from coders/bmp.c
static inline MagickBooleanType BMPOverflowCheck(size_t x,size_t y)
{
return((y != 0) && (x > 4294967295UL/y) ? MagickTrue : MagickFalse);
}
static Image *ReadEmbedImage(const ImageInfo *image_info,Image *image,
const char *magick,ExceptionInfo *exception)
{
Source: ImageMagick patch commit 2c55221. The helper rejects multiplications that would exceed the 32-bit unsigned maximum before any buffer allocation or pointer arithmetic.
Detection Methods for CVE-2025-57803
Indicators of Compromise
- ImageMagick worker processes crashing with SIGSEGV or glibc heap corruption messages when handling user-supplied images
- Unexpected child processes or shell invocations spawned from convert, magick, or web application image workers
- BMP output files with anomalously large declared dimensions in upload directories
Detection Strategies
- Inventory ImageMagick installations and identify 32-bit builds running versions older than 6.9.13-28 or 7.1.2-2
- Inspect application logs for image conversion errors, abort signals, or repeated worker restarts tied to specific uploads
- Hunt for processes derived from ImageMagick binaries executing unexpected network or filesystem operations
Monitoring Recommendations
- Enable core dump collection on image processing hosts to capture heap corruption evidence
- Forward web application and image worker logs to a centralized analytics platform for correlation with upload events
- Alert on ImageMagick child processes that deviate from a known baseline of conversion utilities
How to Mitigate CVE-2025-57803
Immediate Actions Required
- Upgrade ImageMagick to 6.9.13-28 or 7.1.2-2 or later on all systems, prioritizing 32-bit builds
- Update language bindings such as Magick.NET to 14.8.1 or later to pull in the patched native library
- Apply distribution updates including the Debian LTS advisory referenced below
Patch Information
The fix is implemented in ImageMagick commit 2c55221 and described in the GHSA-mxvv-97wh-cfmm advisory. Downstream consumers should track the Debian LTS announcement and Magick.NET 14.8.1 release notes.
Workarounds
- Run ImageMagick only on 64-bit builds where the stride calculation does not overflow within practical image dimensions
- Restrict accepted image dimensions in upstream application logic before passing data to ImageMagick
- Disable the BMP coder in policy.xml if BMP output is not required by the workload
# /etc/ImageMagick-7/policy.xml - disable the BMP coder until patched
<policy domain="coder" rights="none" pattern="BMP" />
<policy domain="coder" rights="none" pattern="BMP2" />
<policy domain="coder" rights="none" pattern="BMP3" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
