CVE-2025-54575
📋 TL;DR
A denial-of-service vulnerability in ImageSharp GIF decoder allows specially crafted GIF files with malformed comment extension blocks to cause infinite loops. This affects applications using vulnerable ImageSharp versions to process untrusted GIF input. The vulnerability can lead to application crashes or resource exhaustion.
💻 Affected Systems
- SixLabors ImageSharp
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to infinite loop consuming all CPU resources, potentially affecting entire service availability.
Likely Case
Application hangs or crashes when processing malicious GIF files, causing temporary service disruption.
If Mitigated
No impact if patched versions are used or if GIF processing is restricted to trusted sources.
🎯 Exploit Status
Exploitation is straightforward but requires the ability to submit GIF files to vulnerable applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.11 or 3.1.11
Vendor Advisory: https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-rxmq-m78w-7wmc
Restart Required: Yes
Instructions:
1. Update ImageSharp NuGet package to version 2.1.11 (for v2) or 3.1.11 (for v3). 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.
🔧 Temporary Workarounds
Input validation for GIF files
allImplement server-side validation to reject malformed GIF files before processing with ImageSharp.
Restrict GIF processing
allDisable GIF processing or limit to trusted sources only in application configuration.
🧯 If You Can't Patch
- Implement strict file type validation and reject all GIF uploads from untrusted sources.
- Deploy WAF rules to block malformed GIF files at the network perimeter.
🔍 How to Verify
Check if Vulnerable:
Check ImageSharp package version in your .NET project. If version is below 2.1.11 or between 3.0.0-3.1.10, you are vulnerable.Check Version:
dotnet list package SixLabors.ImageSharpVerify Fix Applied:
Verify ImageSharp package version is 2.1.11 or 3.1.11 or higher in your project dependencies.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Application hangs or crashes during GIF processing
- Failed GIF decoding operations
Network Indicators:
- Multiple failed GIF upload attempts
- Unusual GIF file upload patterns
SIEM Query:
source="application_logs" AND ("ImageSharp" OR "GIF") AND ("high cpu" OR "hang" OR "crash")🔗 References
- https://github.com/SixLabors/ImageSharp/commit/55e49262df9a057dff9b7807ed1b7bdb49187c3f
- https://github.com/SixLabors/ImageSharp/commit/833f3ceec35af6b775950e06f03b934546cefbf6
- https://github.com/SixLabors/ImageSharp/issues/2953
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-rxmq-m78w-7wmc
