CVE-2025-57803: 
C# vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-57803) was discovered in ImageMagick's BMP encoder affecting 32-bit builds prior to versions 7.1.2-2 and 6.9.13-28. The vulnerability stems from a 32-bit integer overflow in the BMP encoder's scanline-stride computation, which causes the bytesperline (stride) value to collapse to a small value while the per-row writer continues to emit larger amounts of data. This vulnerability was discovered and disclosed on August 26, 2025 (GitHub Advisory).

The vulnerability occurs in the WriteBMPImage function where a 32-bit integer overflow happens during the scanline-stride computation. The issue manifests when processing images with a width of at least 178,956,970 pixels, causing the bytesperline calculation to overflow and produce an incorrectly small value. The vulnerability has received a CVSS v3.1 base score of 8.8 HIGH (NIST NVD) and 7.5 HIGH (GitHub), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-190 (Integer Overflow) and CWE-122 (Heap-based Buffer Overflow) (NVD).

When exploited, this vulnerability allows attackers to perform heap corruption with attacker-controlled bytes, potentially leading to remote code execution in common auto-convert pipelines. The vulnerability is particularly dangerous in scenarios where user-supplied images are automatically converted or processed server-side, such as web applications using ImageMagick in file upload pipelines, automated thumbnail generators, and content management systems (Security Online).

The vulnerability has been patched in ImageMagick versions 6.9.13-28 and 7.1.2-2. Users running 32-bit builds must upgrade immediately to these versions or later. While 64-bit builds are immune to this specific integer overflow, the maintainers recommend implementing additional checks to guard against future DoS scenarios (GitHub Advisory).