CVE-2025-55154: 
ImageMagick vulnerability analysis and mitigation

ImageMagick, a free and open-source software used for editing images, contains a high-severity vulnerability (CVE-2025-55154) related to integer overflows in MNG magnification. The vulnerability was discovered in versions prior to 7.1.2-1 and 6.9.13-26, with patched versions being 7.1.2-1 and 6.9.13-27. The issue was identified and reported by Google Big Sleep team in August 2025 (GitHub Advisory).

The vulnerability exists in the magnified size calculations within the ReadOneMNGImage function (in coders/png.c). The calculations for magnifiedwidth stored in pnguint32 can overflow due to unsafe operations with 16-bit unsigned integers. While initial operations with mnginfo->magnml and mnginfo->magnmx are safe, subsequent multiplications and additions can lead to buffer overflow. This results in a value of magnified_width that is smaller than required, causing out-of-bounds write operations with controlled data beyond heap allocation bounds (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High), indicating significant potential impact. When exploited, it can lead to heap buffer overflow, allowing for memory corruption and potential remote code execution. The vulnerability affects confidentiality, integrity, and availability with high severity ratings (GitHub Advisory).

Users are advised to upgrade to ImageMagick versions 7.1.2-1 or 6.9.13-27 or later, which contain patches for this vulnerability. Additionally, ensuring proper security policies with width/height limits can help prevent exploitation (GitHub Advisory).