CVE-2025-57807: 
C# 脆弱性の分析と軽減

ImageMagick versions lower than 14.8.2 contain a critical heap-based buffer overflow vulnerability (CVE-2025-57807) discovered on September 5, 2025. The vulnerability affects the MagickCore blob subsystem, specifically in the SeekBlob() and WriteBlob() functions. The flaw allows attackers to corrupt memory through a heap out-of-bounds write condition, potentially leading to remote code execution (GitHub Advisory, NVD).

The vulnerability stems from a contract mismatch in BlobStream's functions. SeekBlob() allows advancing the stream offset beyond the current end without increasing capacity, while WriteBlob() expands by quantum + length instead of offset + length, and copies to data + offset. When offset is significantly larger than extent, the copy operation targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature. The flaw is tracked under multiple CWE categories: CWE-122 (Heap-based Buffer Overflow), CWE-131 (Incorrect Calculation of Buffer Size), and CWE-787 (Out-of-bounds Write) (GitHub Advisory, Snyk).

The vulnerability's impact is severe, potentially allowing attackers to achieve remote code execution through memory corruption. Successful exploitation can lead to a total loss of confidentiality (allowing access to sensitive data), integrity (enabling file/data modification), and availability (service termination). The vulnerability is particularly dangerous in server-side image processing scenarios where ImageMagick is network-reachable without authentication or user interaction (Security Online, GitHub Advisory).

The vulnerability has been patched in ImageMagick versions 7.1.2-3 and 6.9.13-29. Users are strongly advised to upgrade to these or later versions. The fix ensures that before copying length bytes at offset, the code enforces extent ≥ offset + length with overflow-checked arithmetic. The patch also includes additional hardening measures such as documenting SeekBlob() restrictions and adding forward-seek test cases (GitHub Commit, GitHub Advisory).