CVE-2025-62171 Overview
CVE-2025-62171 is an integer overflow vulnerability in ImageMagick, an open source software suite for displaying, converting, and editing raster image files. The vulnerability exists in the BMP decoder (coders/bmp.c) on 32-bit systems where calculating the extent value by multiplying image columns by bits per pixel can cause an integer overflow. When exploited, a specially crafted BMP file can cause the bytes_per_line calculation to become zero, leading to denial of service conditions.
Critical Impact
A malicious 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this integer overflow on vulnerable 32-bit systems, potentially causing application crashes or undefined behavior.
Affected Products
- ImageMagick versions prior to 7.1.2-7
- ImageMagick versions prior to 6.9.13-32
- 32-bit builds of ImageMagick with manually increased resource limits beyond defaults
Discovery Timeline
- 2025-10-17 - CVE-2025-62171 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-62171
Vulnerability Analysis
This integer overflow vulnerability (CWE-190) affects ImageMagick's BMP image decoder specifically on 32-bit systems. The root issue lies in the arithmetic operation that calculates the extent value by multiplying image->columns by bmp_info.bits_per_pixel. On 32-bit systems where size_t is 4 bytes, this multiplication can overflow and wrap to zero when processing a malicious BMP file with specific dimensions.
A key aspect of this vulnerability is that it represents a bypass of a previous fix for CVE-2025-57803. The overflow check that was added to address that earlier vulnerability was placed after the overflow had already occurred, making it ineffective at preventing the exploit condition.
The vulnerability requires specific conditions to be exploitable: the target must be running a 32-bit build of ImageMagick, and the default resource limits for width, height, and area must have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable to this issue, and systems using default ImageMagick resource limits are also protected.
Root Cause
The vulnerability stems from improper placement of the overflow validation check in coders/bmp.c. The original code calculated extent = image->columns * bmp_info.bits_per_pixel before validating whether this multiplication would overflow. On 32-bit systems, when image->columns is set to 536,870,912 and bits per pixel is 32, the multiplication exceeds the maximum value of a 4-byte size_t, causing it to wrap around to zero.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction beyond processing a malicious BMP file. An attacker can craft a minimal 58-byte BMP file with carefully chosen width dimensions (536,870,912 pixels) and color depth (32 bits per pixel) to trigger the overflow condition.
When the overflow occurs:
- The extent value wraps to zero
- The bytes_per_line calculation (derived from extent) becomes zero
- Subsequent memory operations relying on this value cause denial of service
The fix adds an overflow check before the multiplication occurs:
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (bmp_info.compression == BI_RLE4)
bmp_info.bits_per_pixel<<=1;
+ if (BMPOverflowCheck(image->columns,bmp_info.bits_per_pixel) != MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
extent=image->columns*bmp_info.bits_per_pixel;
bytes_per_line=4*((extent+31)/32);
if (BMPOverflowCheck(bytes_per_line,image->rows) != MagickFalse)
Source: GitHub Commit
Detection Methods for CVE-2025-62171
Indicators of Compromise
- Unexpected ImageMagick process crashes when processing BMP files
- Memory allocation failures or segmentation faults during BMP decoding operations
- Small BMP files (around 58 bytes) with unusually large dimension values in headers
- Error logs showing "MemoryAllocationFailed" or "ImproperImageHeader" exceptions
Detection Strategies
- Monitor ImageMagick processes for abnormal termination or crash patterns during image processing
- Implement input validation to reject BMP files with suspicious dimension values (e.g., width exceeding 536 million pixels)
- Audit system logs for repeated ImageMagick failures associated with BMP file processing
- Deploy file integrity monitoring on systems processing untrusted image content
Monitoring Recommendations
- Enable verbose logging for ImageMagick operations to capture processing failures
- Implement resource monitoring for 32-bit ImageMagick deployments to detect unusual memory behavior
- Configure alerting for ImageMagick process crashes or restarts
- Review ImageMagick resource limit configurations to ensure defaults have not been increased unnecessarily
How to Mitigate CVE-2025-62171
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-7 or later for the 7.x branch
- Upgrade ImageMagick to version 6.9.13-32 or later for the 6.x branch
- Verify that 32-bit systems have not manually increased default resource limits for width, height, and area
- Consider migrating 32-bit ImageMagick deployments to 64-bit systems where possible
Patch Information
The vulnerability has been fixed in ImageMagick versions 7.1.2-7 and 6.9.13-32. The fix adds the BMPOverflowCheck() function call before the multiplication that calculates the extent value, properly preventing the integer overflow condition. The patch is available in commit cea1693e.
Additional details are available in the GitHub Security Advisory GHSA-9pp9-cfwx-54rm. Debian users should refer to the Debian LTS Announcement for distribution-specific guidance.
Workarounds
- Maintain default ImageMagick resource limits (do not increase width, height, or area limits beyond defaults)
- Use 64-bit builds of ImageMagick which are not vulnerable to this issue
- Implement pre-processing validation to reject BMP files with extreme dimension values
- Sandbox ImageMagick processing in isolated environments to limit impact of potential exploitation
# Configuration example - Verify ImageMagick resource limits
identify -list resource
# Check ImageMagick version
convert -version
# Restrict BMP processing via policy.xml (example)
# Add to /etc/ImageMagick-7/policy.xml or equivalent
# <policy domain="coder" rights="none" pattern="BMP" />
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
