CVE-2025-65955 – This CVE describes a double-free vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-65955?

CVE-2025-65955 has a CVSS score of 4.9 (MEDIUM). This CVE describes a double-free vulnerability in ImageMagick's Magick++ layer when Options::fontFamily is called with an empty string. This can lead to crashes, heap corruption, or potential remote code execution in applications that process untrusted images. All systems running vulnerable ImageMagick versions are affected.

📋 TL;DR

This CVE describes a double-free vulnerability in ImageMagick's Magick++ layer when Options::fontFamily is called with an empty string. This can lead to crashes, heap corruption, or potential remote code execution in applications that process untrusted images. All systems running vulnerable ImageMagick versions are affected.

💻 Affected Systems

Products:

ImageMagick

Versions: All versions prior to 7.1.2-9 and 6.9.13-34

Operating Systems: All operating systems running ImageMagick

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires the Magick++ API to be used with Options::fontFamily called with an empty string.

📦 What is this software?

Imagemagick by Imagemagick

View all CVEs affecting Imagemagick →

Imagemagick by Imagemagick

View all CVEs affecting Imagemagick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if an attacker can trigger the vulnerability through malicious image processing.

🟠

Likely Case

Application crashes or denial of service when processing images with empty font family strings, potentially disrupting image processing services.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, likely resulting only in crashes without privilege escalation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering the specific API call with an empty string, which may be possible through crafted image files or API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.2-9 or 6.9.13-34

Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9m

Restart Required: Yes

Instructions:

1. Update ImageMagick to version 7.1.2-9 or 6.9.13-34 using your package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade imagemagick' (Debian/Ubuntu) or 'sudo yum update imagemagick' (RHEL/CentOS). 3. Restart any services using ImageMagick.

🔧 Temporary Workarounds

Input Validation

all

Validate that font family strings are not empty before passing to ImageMagick APIs.

Sandbox Image Processing

all

Run ImageMagick in a container or sandboxed environment to limit impact of potential exploitation.

🧯 If You Can't Patch

Implement strict input validation to prevent empty strings from reaching Options::fontFamily.
Isolate ImageMagick processes using containerization or privilege separation.

🔍 How to Verify

Check if Vulnerable:

Check ImageMagick version with 'convert --version' or 'magick --version' and compare against vulnerable versions.

Check Version:

convert --version | head -1

Verify Fix Applied:

Verify version is 7.1.2-9 or higher (for ImageMagick 7) or 6.9.13-34 or higher (for ImageMagick 6).

📡 Detection & Monitoring

Log Indicators:

Segmentation faults or crashes in ImageMagick processes
Heap corruption errors in system logs

Network Indicators:

Unusual image uploads or processing requests

SIEM Query:

Process crashes with 'convert' or 'magick' in command line

📊 Metadata

CVE ID: CVE-2025-65955

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-415

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: December 2, 2025

Last Updated: January 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65955, you might also want to check these: