CVE-2025-66628 Overview
CVE-2025-66628 is a critical integer overflow vulnerability discovered in ImageMagick's TIM (PSX TIM) image parser. The vulnerability exists in the ReadTIMImage function within coders/tim.c, where the code reads width and height values from a TIM file header and performs an unsafe calculation without proper overflow checking. This flaw allows attackers to craft malicious TIM image files that can trigger out-of-bounds read operations, potentially leading to information disclosure.
Critical Impact
Attackers can exploit this integer overflow to cause heap memory corruption, resulting in out-of-bounds read access that may expose sensitive information from process memory.
Affected Products
- ImageMagick versions 7.1.2-9 and prior
- Magick.NET versions using affected ImageMagick core library
- Applications integrating vulnerable ImageMagick libraries for image processing
Discovery Timeline
- 2025-12-10 - CVE CVE-2025-66628 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2025-66628
Vulnerability Analysis
The vulnerability stems from an integer overflow condition in ImageMagick's TIM image format parser. When processing TIM files, the ReadTIMImage function extracts 16-bit width and height values from the file header and calculates the image buffer size using the formula image_size = 2 * width * height. This calculation is performed without validating whether the result exceeds the maximum representable value for the size_t type.
On 32-bit systems or environments where size_t is 32 bits, supplying extreme dimension values (such as width and height of 65535) causes the multiplication to overflow and wrap around to a small value. The subsequent memory allocation via AcquireQuantumMemory uses this incorrectly small value, creating an undersized heap buffer. When the parser later attempts to read or write pixel data based on the original dimensions, it accesses memory beyond the allocated buffer boundaries.
The consequence is an out-of-bounds read condition (CWE-125) that can expose sensitive information residing in heap memory adjacent to the undersized buffer.
Root Cause
The root cause is the absence of integer overflow validation when computing the image_size variable in the TIM image decoder. The calculation 2 * width * height uses untrusted input values directly from the file header without bounds checking, making the multiplication susceptible to wraparound on systems with 32-bit size_t. This results in allocating significantly less memory than required for the image dimensions specified.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious TIM image file with manipulated width and height header values designed to trigger the integer overflow. The attack requires network delivery of the malicious file (as indicated by the network attack vector), where the victim's application processes the file using a vulnerable ImageMagick installation. No authentication or user interaction is required for exploitation.
The attack flow involves:
- Creating a TIM file with width and height values that cause integer overflow when multiplied
- Delivering the file to a target system running vulnerable ImageMagick
- When ImageMagick parses the file, it allocates an undersized buffer
- Subsequent pixel data operations trigger out-of-bounds heap reads
- Sensitive memory contents may be exposed to the attacker
The vulnerability has been addressed in ImageMagick version 7.1.2-10. The following patch shows the version update in the Magick.NET wrapper:
// <auto-generated/>
-[assembly: System.Reflection.AssemblyTrademark("ImageMagick 7.1.2-10 (Beta)")]
\ No newline at end of file
+[assembly: System.Reflection.AssemblyTrademark("ImageMagick 7.1.2-10")]
\ No newline at end of file
Source: GitHub Commit
Detection Methods for CVE-2025-66628
Indicators of Compromise
- Presence of TIM image files with unusually large dimension values (width/height approaching 65535)
- ImageMagick process crashes or abnormal terminations during TIM file processing
- Memory access violation errors in application logs referencing coders/tim.c or ReadTIMImage
- Unexpected data exposure or information leakage from applications processing untrusted images
Detection Strategies
- Monitor for ImageMagick library versions prior to 7.1.2-10 in software inventory scans
- Implement file upload validation to detect TIM files with suspicious header dimensions
- Deploy memory protection tools (AddressSanitizer, Valgrind) in testing environments to identify out-of-bounds reads
- Configure application logging to capture ImageMagick error outputs during image processing operations
Monitoring Recommendations
- Enable verbose logging for ImageMagick processing operations to capture parsing errors
- Set up alerts for segmentation faults or memory access violations in services handling image uploads
- Monitor network traffic for delivery of TIM format files from untrusted sources
- Track ImageMagick process resource consumption for anomalies indicating exploitation attempts
How to Mitigate CVE-2025-66628
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-10 or later immediately
- If using Magick.NET, update to the latest version that includes the patched ImageMagick core
- Disable TIM format processing in ImageMagick policy if not required for business operations
- Implement input validation on image dimensions before processing with ImageMagick
Patch Information
The vulnerability has been fixed in ImageMagick version 7.1.2-10. The fix adds proper integer overflow checking for the image size calculation in the TIM parser. Organizations should upgrade to this version or later to remediate the vulnerability.
Refer to the GitHub Security Advisory for official patch details and upgrade instructions.
Workarounds
- Restrict TIM format support in ImageMagick's policy.xml configuration file by denying TIM coder access
- Process untrusted images in sandboxed environments with limited memory access permissions
- Implement pre-processing validation that rejects TIM files with dimension values exceeding safe thresholds
- Use application-level whitelisting to only allow necessary image formats
# ImageMagick policy.xml configuration to disable TIM format processing
# Add to /etc/ImageMagick-7/policy.xml or equivalent location
# Disable TIM coder to prevent vulnerability exploitation
<policy domain="coder" rights="none" pattern="TIM" />
# Alternative: Restrict all image dimensions to prevent overflow
<policy domain="resource" name="width" value="16KP" />
<policy domain="resource" name="height" value="16KP" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
