CVE-2025-32460 – This vulnerability is a heap-based buffer over-... (How to Fix)

Q: What is the severity of CVE-2025-32460?

CVE-2025-32460 has a CVSS score of 4.0 (MEDIUM). This vulnerability is a heap-based buffer over-read in GraphicsMagick's JXL image decoder that occurs when processing specially crafted JPEG XL files. It allows attackers to read memory beyond allocated buffers, potentially leaking sensitive information. Systems using vulnerable GraphicsMagick versions to process untrusted image files are affected.

📋 TL;DR

This vulnerability is a heap-based buffer over-read in GraphicsMagick's JXL image decoder that occurs when processing specially crafted JPEG XL files. It allows attackers to read memory beyond allocated buffers, potentially leaking sensitive information. Systems using vulnerable GraphicsMagick versions to process untrusted image files are affected.

💻 Affected Systems

Products:

GraphicsMagick

Versions: All versions before commit 8e56520435df50f618a03f2721a39a70a515f1cb

Operating Systems: All operating systems running vulnerable GraphicsMagick

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing JXL (JPEG XL) image files. Systems not using JXL format are not affected.

📦 What is this software?

Graphicsmagick by Graphicsmagick

View all CVEs affecting Graphicsmagick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure through memory leakage, potentially exposing sensitive data like passwords, keys, or other process memory contents.

🟠

Likely Case

Application crash (denial of service) when processing malicious JXL files, with possible limited information disclosure.

🟢

If Mitigated

No impact if GraphicsMagick is not used to process untrusted JXL files or if proper input validation/sandboxing is in place.

🌐 Internet-Facing: MEDIUM - Web applications processing user-uploaded images via GraphicsMagick could be exploited if they accept JXL format.

🏢 Internal Only: LOW - Requires processing of malicious JXL files, which is less common in internal-only workflows.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious JXL file and getting it processed by vulnerable GraphicsMagick. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 8e56520435df50f618a03f2721a39a70a515f1cb

Vendor Advisory: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb

Restart Required: No

Instructions:

1. Update GraphicsMagick to version containing commit 8e56520435df50f618a03f2721a39a70a515f1cb or later. 2. For Debian/Ubuntu: apt update && apt upgrade graphicsmagick. 3. For source builds: git pull and rebuild from patched source.

🔧 Temporary Workarounds

Disable JXL support

linux

Remove or disable JXL coder module to prevent processing of JXL files

rm /usr/local/lib/GraphicsMagick-*/modules-Q16/coders/jxl.la
rm /usr/local/lib/GraphicsMagick-*/modules-Q16/coders/jxl.so

Input filtering

all

Reject JXL files at application level before GraphicsMagick processing

🧯 If You Can't Patch

Implement strict input validation to reject JXL files from untrusted sources
Run GraphicsMagick in sandboxed/containerized environment with limited memory access

🔍 How to Verify

Check if Vulnerable:

Check GraphicsMagick version and build date: gm version | grep 'GraphicsMagick'

Check Version:

gm version

Verify Fix Applied:

Verify commit hash includes 8e56520435df50f618a03f2721a39a70a515f1cb or version is newer than vulnerable builds

📡 Detection & Monitoring

Log Indicators:

GraphicsMagick segmentation faults or abnormal termination when processing image files
Unexpected memory access errors in system logs

Network Indicators:

Unusual JXL file uploads to image processing services

SIEM Query:

source="*syslog*" AND ("segmentation fault" OR "SIGSEGV") AND "GraphicsMagick"

📊 Metadata

CVE ID: CVE-2025-32460

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-125

EPSS Score: 0.22% exploit probability (44.6th percentile)

Published: April 9, 2025

Last Updated: January 29, 2026

🔗 References

https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb Patch
https://issues.oss-fuzz.com/issues/406320404 Exploit,Issue Tracking,Patch
https://tracker.debian.org/news/1636753/accepted-graphicsmagick-14really1345hg17696-1-source-into-unstable/ Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32460, you might also want to check these: