ghsa-fh55-q5pj-pxgw
Vulnerability from github
Summary
Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.
Details
Root Cause
1. montage -geometry ":" ... reaches MagickCore/geometry.c:GetGeometry().
2. StringToDouble/InterpretLocaleValue parses ":" as 0.0; then:
https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
WidthValue (and/or HeightValue) is set with a zero dimension.
3. In MagickCore/resize.c:ThumbnailImage(), the code computes:
https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
causing a division by zero and immediate crash.
The issue is trivially triggerable without external input files (e.g., using xc:white).
Reproduction
Environment
Version: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org
Features: Cipher DPC HDRI
Delegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib
Compiler: clang (14.0.0)
OS/Arch: Linux x86_64
Steps
./bin/magick montage -geometry : xc:white null:
Observed result
```
IOT instruction (core dumped)
(Environment-dependent: SIGFPE/abort may be observed.)
```
PoC
No external file required; the pseudo image xc:white suffices:
./bin/magick montage -geometry : xc:white null:
Impact
- Denial of Service: A divide-by-zero in
ThumbnailImage()causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.
Suggested fix
Defensively reject zero dimensions early in ThumbnailImage():
c
if ((columns == 0) || (rows == 0)) {
(void) ThrowMagickException(exception, GetMagickModule(), OptionError,
"InvalidGeometry", "thumbnail requires non-zero dimensions: %.20gx%.20g",
(double) columns, (double) rows);
return (Image *) NULL;
}
Additionally, consider tightening validation in GetGeometry() so that colon-only (and similar malformed) inputs do not yield WidthValue/HeightValue with zero, or are rejected outright. Variants like "x:" or ":x" may also need explicit handling (maintainer confirmation requested).
Credits
Team Daemon Fuzz Hunters
Bug Hunting Master Program, HSpace/Findthegap
Woojin Park @jin-156 1203kids@gmail.com
Hojun Lee @leehohojune leehojune@korea.ac.kr
Youngin Won @amethyst0225 youngin04@korea.ac.kr
Siyeon Han @hanbunny kokosyeon@gmail.com
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55212"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-26T15:27:25Z",
"nvd_published_at": "2025-08-26T17:15:39Z",
"severity": "LOW"
},
"details": "## Summary\nPassing a geometry string containing only a colon (\":\") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service.\n\n## Details\n**Root Cause**\n1. `montage -geometry \":\" ...` reaches `MagickCore/geometry.c:GetGeometry().`\n2. `StringToDouble/InterpretLocaleValue` parses `\":\"` as `0.0;` then: \nhttps://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355\n`WidthValue` (and/or `HeightValue)` is set with a zero dimension.\n3. In MagickCore/resize.c:ThumbnailImage(), the code computes:\nhttps://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629\ncausing a division by zero and immediate crash.\n\nThe issue is trivially triggerable without external input files (e.g., using `xc:white`).\n\n### Reproduction\nEnvironment\n```\nVersion: ImageMagick 7.1.2-1 (Beta) Q16-HDRI x86_64 0ba1b587b:20250812 https://imagemagick.org\nFeatures: Cipher DPC HDRI\nDelegates (built-in): bzlib fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff x xml zlib\nCompiler: clang (14.0.0)\nOS/Arch: Linux x86_64\n```\nSteps\n```\n./bin/magick montage -geometry : xc:white null:\n```\nObserved result\n```\nIOT instruction (core dumped)\n# (Environment-dependent: SIGFPE/abort may be observed.)\n```\n\n## PoC\nNo external file required; the pseudo image xc:white suffices:\n```\n./bin/magick montage -geometry : xc:white null:\n```\n\n## Impact\n- **Denial of Service:** A divide-by-zero in `ThumbnailImage()` causes immediate abnormal termination (e.g., SIGFPE/abort), crashing the ImageMagick process.\n\n\n## Suggested fix\nDefensively reject zero dimensions early in `ThumbnailImage()`:\n```c\nif ((columns == 0) || (rows == 0)) {\n (void) ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"InvalidGeometry\", \"thumbnail requires non-zero dimensions: %.20gx%.20g\",\n (double) columns, (double) rows);\n return (Image *) NULL;\n}\n```\nAdditionally, consider tightening validation in `GetGeometry()` so that colon-only (and similar malformed) inputs do not yield `WidthValue/HeightValue` with zero, or are rejected outright. Variants like `\"x:\"` or `\":x\"` may also need explicit handling (maintainer confirmation requested).\n\n## Credits\n### Team Daemon Fuzz Hunters\n**Bug Hunting Master Program, HSpace/Findthegap**\n\u003cbr\u003e\n\n**Woojin Park**\n@jin-156\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Hojun Lee**\n@leehohojune \n[leehojune@korea.ac.kr](mailto:leehojune@korea.ac.kr)\n\n**Youngin Won**\n@amethyst0225\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n@hanbunny\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)",
"id": "GHSA-fh55-q5pj-pxgw",
"modified": "2025-08-26T20:44:25Z",
"published": "2025-08-26T15:27:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55212"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry \":\" leads to crash"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.