CVE-2025-68618 Overview
CVE-2025-68618 is a denial of service vulnerability in ImageMagick, a widely deployed open-source image processing library. The flaw resides in the Scalable Vector Graphics (SVG) parser, where deeply nested vector graphics elements trigger uncontrolled recursion [CWE-674]. An attacker can supply a malicious SVG file that exhausts process resources when ImageMagick reads it, crashing the host application. The issue affects ImageMagick versions prior to 7.1.2-12 and is remotely exploitable through any service that ingests user-supplied SVG content.
Critical Impact
A network-reachable attacker can crash ImageMagick-backed services with a single crafted SVG file, with no authentication or user interaction required.
Affected Products
- ImageMagick versions prior to 7.1.2-12
- Applications and web services that use ImageMagick to process untrusted SVG input
- Linux distributions and container images bundling vulnerable ImageMagick releases
Discovery Timeline
- 2025-12-30 - CVE-2025-68618 published to the National Vulnerability Database (NVD)
- 2026-01-06 - CVE record last modified in NVD
Technical Details for CVE-2025-68618
Vulnerability Analysis
The vulnerability is an uncontrolled recursion flaw in the ImageMagick SVG coder. When the parser encounters nested SVG group or container elements, it increments an internal depth counter (svg_info->n) and recursively allocates additional scale memory through ResizeQuantumMemory. Prior to version 7.1.2-12, the parser did not validate that the nesting depth remained within sane bounds. A crafted SVG containing thousands of nested elements forces unbounded stack recursion and memory growth, resulting in process termination or resource exhaustion. The defect is classified under [CWE-674] (Uncontrolled Recursion) and impacts availability without exposing confidentiality or integrity.
Root Cause
The coders/svg.c SVG element start handler incremented the recursion depth counter without comparing it against MagickMaxRecursionDepth. Subsequent memory resize and recursive descent operations proceeded unconditionally. A related missing depth check existed in coders/msl.c, the Magick Scripting Language coder, which shares parsing patterns with the SVG handler.
Attack Vector
Exploitation requires only that a vulnerable ImageMagick installation read attacker-controlled SVG content. Common entry points include image upload endpoints, avatar processors, thumbnail generators, document conversion pipelines, and CMS plugins. No authentication, privileges, or user interaction are required. The attack is remote and pre-authentication wherever the application accepts unauthenticated uploads.
// Patch in coders/svg.c — adds recursion depth check
name);
parser=(xmlParserCtxtPtr) context;
svg_info=(SVGInfo *) parser->_private;
- svg_info->n++;
+ if (svg_info->n++ > MagickMaxRecursionDepth)
+ {
+ (void) ThrowMagickException(svg_info->exception,GetMagickModule(),
+ DrawError,"VectorGraphicsNestedTooDeeply","`%s'",name);
+ xmlStopParser((xmlParserCtxtPtr) context);
+ return;
+ }
svg_info->scale=(double *) ResizeQuantumMemory(svg_info->scale,(size_t)
svg_info->n+1,sizeof(*svg_info->scale));
if (svg_info->scale == (double *) NULL)
// Source: https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb
The fix aborts parsing with xmlStopParser and raises a VectorGraphicsNestedTooDeeply error once depth exceeds MagickMaxRecursionDepth, preventing further recursion and memory allocation.
Detection Methods for CVE-2025-68618
Indicators of Compromise
- Repeated ImageMagick worker crashes or SIGSEGV events correlated with SVG processing
- Application log entries containing VectorGraphicsNestedTooDeeply after patching
- Sudden spikes in memory or CPU usage in image conversion services following SVG uploads
- Inbound .svg files containing thousands of nested <g>, <svg>, or container elements
Detection Strategies
- Inspect uploaded SVG files for abnormal nesting depth before passing them to ImageMagick
- Monitor process exit codes and out-of-memory kills on hosts running ImageMagick conversion workers
- Alert on web application logs that show ImageMagick errors clustered around a single client IP or session
- Correlate file upload telemetry with image processing failures to identify probing activity
Monitoring Recommendations
- Track ImageMagick version inventory across servers, containers, and developer images
- Capture stderr and exception output from image processing pipelines into centralized logging
- Set resource limits on conversion workers and alert when limits are repeatedly hit
- Review web access logs for uploads of unusually large or deeply structured SVG payloads
How to Mitigate CVE-2025-68618
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-12 or later on all systems and container images
- Rebuild and redeploy any application bundling ImageMagick as a static or vendored dependency
- Restrict or disable SVG processing at the application layer until patching is complete
- Apply resource limits (memory, CPU, process count) to ImageMagick worker processes
Patch Information
The upstream fix is delivered in ImageMagick 7.1.2-12 via commit 6f431d445f3ddd609c004a1dde617b0a73e60beb. The patch adds a MagickMaxRecursionDepth check in the SVG coder and a related depth field in the MSL coder. Refer to the ImageMagick Security Advisory GHSA-p27m-hp98-6637 and the upstream commit for full details.
Workarounds
- Disable the SVG coder in ImageMagick policy.xml if SVG support is not required
- Validate SVG input with a hardened parser to enforce maximum element nesting depth
- Run ImageMagick in a sandboxed process with strict memory and CPU cgroups
- Reject SVG files above a conservative size threshold at the web application gateway
# /etc/ImageMagick-7/policy.xml — disable the SVG coder
<policymap>
<policy domain="coder" rights="none" pattern="SVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
</policymap>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

