CVE-2025-27795 – This vulnerability in GraphicsMagick's JXL imag... (How to Fix)

Q: What is the severity of CVE-2025-27795?

CVE-2025-27795 has a CVSS score of 4.3 (MEDIUM). This vulnerability in GraphicsMagick's JXL image processing lacks proper dimension limits when reading JXL files, allowing attackers to cause excessive memory allocation. It affects systems using GraphicsMagick to process untrusted JXL images. The impact is denial of service through resource exhaustion.

📋 TL;DR

This vulnerability in GraphicsMagick's JXL image processing lacks proper dimension limits when reading JXL files, allowing attackers to cause excessive memory allocation. It affects systems using GraphicsMagick to process untrusted JXL images. The impact is denial of service through resource exhaustion.

💻 Affected Systems

Products:

GraphicsMagick

Versions: All versions before 1.3.46

Operating Systems: All operating systems running affected GraphicsMagick versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects JXL (JPEG XL) image format processing. Systems not using JXL format are not vulnerable.

📦 What is this software?

Graphicsmagick by Graphicsmagick

View all CVEs affecting Graphicsmagick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system memory exhaustion leading to denial of service and potential system instability or crash.

🟠

Likely Case

Application crashes or becomes unresponsive when processing specially crafted JXL images with excessive dimensions.

🟢

If Mitigated

Limited impact with proper resource limits and input validation in place.

🌐 Internet-Facing: MEDIUM - Web applications processing user-uploaded JXL images could be targeted for DoS attacks.

🏢 Internal Only: LOW - Requires processing of malicious JXL files, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to supply malicious JXL files to vulnerable systems. No authentication bypass needed if file upload/processing is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.46

Vendor Advisory: http://www.graphicsmagick.org/NEWS.html

Restart Required: No

Instructions:

1. Download GraphicsMagick 1.3.46 or later from official sources. 2. Compile and install following standard build procedures. 3. Replace existing GraphicsMagick installation with patched version. 4. No service restart needed for most applications.

🔧 Temporary Workarounds

Disable JXL support

all

Disable JXL format processing in GraphicsMagick configuration

Recompile GraphicsMagick with --without-jxl flag or modify configuration to disable JXL format

Implement input validation

all

Add dimension validation before processing JXL files

Implement file validation in application code to check image dimensions before passing to GraphicsMagick

🧯 If You Can't Patch

Implement strict file upload restrictions for JXL files
Deploy resource limits (memory, CPU) on processes using GraphicsMagick

🔍 How to Verify

Check if Vulnerable:

Check GraphicsMagick version: gm -version | grep 'GraphicsMagick'

Check Version:

gm -version | grep 'GraphicsMagick'

Verify Fix Applied:

Verify version is 1.3.46 or later: gm -version | grep 'GraphicsMagick'

📡 Detection & Monitoring

Log Indicators:

High memory usage by GraphicsMagick processes
Application crashes when processing JXL files
Failed image processing operations

Network Indicators:

Multiple JXL file uploads to vulnerable endpoints
Unusual traffic patterns to image processing services

SIEM Query:

Process memory usage > threshold AND process_name contains 'gm' OR 'GraphicsMagick'

📊 Metadata

CVE ID: CVE-2025-27795

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.27% exploit probability (50.3th percentile)

Published: March 7, 2025

Last Updated: January 29, 2026

🔗 References

http://www.graphicsmagick.org/NEWS.html Release Notes
https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42 Patch
https://github.com/libjxl/libjxl/issues/3792#issuecomment-2330978387 Issue Tracking
https://github.com/libjxl/libjxl/issues/3793#issuecomment-2334843280 Issue Tracking
https://issues.oss-fuzz.com/issues/42536330#comment6 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27795, you might also want to check these: