CVE-2025-66628
📋 TL;DR
ImageMagick's TIM image parser contains an integer overflow vulnerability that allows attackers to trigger out-of-bounds memory reads by providing specially crafted TIM images. This affects ImageMagick versions 7.1.2-9 and earlier, particularly on 32-bit systems where size_t is 32-bit. Applications that process untrusted TIM images are vulnerable to potential information disclosure or denial of service.
💻 Affected Systems
- ImageMagick
- Magick.NET
- Any software using vulnerable ImageMagick libraries
📦 What is this software?
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Information disclosure through memory leaks leading to sensitive data exposure, or denial of service through application crashes.
Likely Case
Application crashes or instability when processing malicious TIM images, potentially causing denial of service.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, though risk remains for unpatched systems.
🎯 Exploit Status
Exploitation requires crafting specific TIM images with large dimensions; no public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-10
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8
Restart Required: No
Instructions:
1. Update ImageMagick to version 7.1.2-10 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade imagemagick). 3. For Windows: Download latest installer from imagemagick.org. 4. Rebuild any applications using ImageMagick libraries.
🔧 Temporary Workarounds
Disable TIM format processing
linuxRemove or disable TIM format support in ImageMagick policy.xml
Edit /etc/ImageMagick-7/policy.xml and add: <policy domain="coder" rights="none" pattern="TIM" />
Sandbox image processing
allRun ImageMagick in restricted environment with limited memory access
Use Docker containers with limited capabilities: docker run --security-opt=no-new-privileges --cap-drop=ALL -it imagemagick
🧯 If You Can't Patch
- Implement strict input validation to reject TIM images with dimensions exceeding safe thresholds
- Deploy web application firewalls (WAF) to block malicious TIM image uploads
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version: convert --version | grep VersionCheck Version:
convert --version | grep 'Version: ImageMagick'Verify Fix Applied:
Verify version is 7.1.2-10 or later and test with sample TIM images📡 Detection & Monitoring
Log Indicators:
- ImageMagick segmentation faults
- Memory allocation errors in application logs
- Failed TIM image processing
Network Indicators:
- Unusual TIM image uploads to web applications
- Large TIM files with specific dimensions
SIEM Query:
source="*imagemagick*" AND ("segmentation fault" OR "out of bounds" OR "memory error")