ghsa-fh55-q5pj-pxgw

Vulnerability from github

Published

2025-08-26 15:27

Modified

2025-08-26 20:44

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash

Details

Summary

Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.

Details

Root Cause 1. montage -geometry ":" ... reaches MagickCore/geometry.c:GetGeometry(). 2. StringToDouble/InterpretLocaleValue parses ":" as 0.0; then: https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355 WidthValue (and/or HeightValue) is set with a zero dimension. 3. In MagickCore/resize.c:ThumbnailImage(), the code computes: https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629 causing a division by zero and immediate crash.

The issue is trivially triggerable without external input files (e.g., using xc:white).

Reproduction

Environment Version: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org Features: Cipher DPC HDRI Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib Compiler: clang (14.0.0) OS/Arch: Linux x86_64 Steps ./bin/magick montage -geometry : xc:white null: Observed result ``` IOT instruction (core dumped)

(Environment-dependent: SIGFPE/abort may be observed.)

```

PoC

No external file required; the pseudo image xc:white suffices: ./bin/magick montage -geometry : xc:white null:

Impact

Denial of Service: A divide-by-zero in ThumbnailImage() causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.

Suggested fix

Defensively reject zero dimensions early in ThumbnailImage(): c if ((columns == 0) || (rows == 0)) { (void) ThrowMagickException(exception, GetMagickModule(), OptionError, "InvalidGeometry", "thumbnail requires non-zero dimensions: %.20gx%.20g", (double) columns, (double) rows); return (Image *) NULL; } Additionally, consider tightening validation in GetGeometry() so that colon-only (and similar malformed) inputs do not yield WidthValue/HeightValue with zero, or are rejected outright. Variants like "x:" or ":x" may also need explicit handling (maintainer confirmation requested).

Credits

Team Daemon Fuzz Hunters

Bug Hunting Master Program, HSpace/Findthegap

Woojin Park @jin-156 1203kids@gmail.com

Hojun Lee @leehohojune leehojune@korea.ac.kr

Youngin Won @amethyst0225 youngin04@korea.ac.kr

Siyeon Han @hanbunny kokosyeon@gmail.com

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-26T15:27:25Z",
    "nvd_published_at": "2025-08-26T17:15:39Z",
    "severity": "LOW"
  },
  "details": "## Summary\nPassing a geometry string containing only a colon (\":\") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.\n\n## Details\n**Root Cause**\n1. `montage -geometry \":\" ...` reaches `MagickCore/geometry.c:GetGeometry().`\n2. `StringToDouble/InterpretLocaleValue` parses `\":\"` as `0.0;` then: \nhttps://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355\n`WidthValue` (and/or `HeightValue)` is set with a zero dimension.\n3. In MagickCore/resize.c:ThumbnailImage(), the code computes:\nhttps://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629\ncausing a division by zero and immediate crash.\n\nThe issue is trivially triggerable without external input files (e.g., using `xc:white`).\n\n### Reproduction\nEnvironment\n```\nVersion: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org\nFeatures: Cipher DPC HDRI\nDelegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib\nCompiler: clang (14.0.0)\nOS/Arch: Linux x86_64\n```\nSteps\n```\n./bin/magick montage -geometry : xc:white null:\n```\nObserved result\n```\nIOT instruction (core dumped)\n# (Environment-dependent: SIGFPE/abort may be observed.)\n```\n\n## PoC\nNo external file required; the pseudo image xc:white suffices:\n```\n./bin/magick montage -geometry : xc:white null:\n```\n\n## Impact\n- **Denial of Service:** A divide-by-zero in `ThumbnailImage()` causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.\n\n\n## Suggested fix\nDefensively reject zero dimensions early in `ThumbnailImage()`:\n```c\nif ((columns == 0) || (rows == 0)) {\n  (void) ThrowMagickException(exception, GetMagickModule(), OptionError,\n    \"InvalidGeometry\", \"thumbnail requires non-zero dimensions: %.20gx%.20g\",\n    (double) columns, (double) rows);\n  return (Image *) NULL;\n}\n```\nAdditionally, consider tightening validation in `GetGeometry()` so that colon-only (and similar malformed) inputs do not yield `WidthValue/HeightValue` with zero, or are rejected outright. Variants like `\"x:\"` or `\":x\"` may also need explicit handling (maintainer confirmation requested).\n\n## Credits\n### Team Daemon Fuzz Hunters\n**Bug Hunting Master Program, HSpace/Findthegap**\n\u003cbr\u003e\n\n**Woojin Park**\n@jin-156\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Hojun Lee**\n@leehohojune \n[leehojune@korea.ac.kr](mailto:leehojune@korea.ac.kr)\n\n**Youngin Won**\n@amethyst0225\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n@hanbunny\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)",
  "id": "GHSA-fh55-q5pj-pxgw",
  "modified": "2025-08-26T20:44:25Z",
  "published": "2025-08-26T15:27:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55212"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry \":\" leads to crash"
}

CVE-2025-55212 (GCVE-0-2025-55212)

Vulnerability from cvelistv5

Published

2025-08-26 16:43

Modified

2025-08-26 19:36

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-369 - Divide By Zero

Summary

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

References

▼	URL	Tags
	https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw	x_refsource_CONFIRM
	https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af	x_refsource_MISC
	https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355	x_refsource_MISC
	https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629	x_refsource_MISC
	https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ImageMagick	ImageMagick	Version: < 7.1.2-2 Version: < 6.9.13-28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55212",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-26T19:36:13.959186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-26T19:36:17.667Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ImageMagick",
          "vendor": "ImageMagick",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.1.2-2"
            },
            {
              "status": "affected",
              "version": "\u003c 6.9.13-28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (\":\") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-369",
              "description": "CWE-369: Divide By Zero",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-26T16:43:15.189Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw"
        },
        {
          "name": "https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af"
        },
        {
          "name": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355"
        },
        {
          "name": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629"
        },
        {
          "name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1"
        }
      ],
      "source": {
        "advisory": "GHSA-fh55-q5pj-pxgw",
        "discovery": "UNKNOWN"
      },
      "title": "ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry \":\" leads to crash"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55212",
    "datePublished": "2025-08-26T16:43:15.189Z",
    "dateReserved": "2025-08-08T21:55:07.967Z",
    "dateUpdated": "2025-08-26T19:36:17.667Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ghsa-fh55-q5pj-pxgw

Vulnerability from github

Summary

Details

Reproduction

(Environment-dependent: SIGFPE/abort may be observed.)

PoC

Impact

Suggested fix

Credits

Team Daemon Fuzz Hunters

CVE-2025-55212 (GCVE-0-2025-55212)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature