CVE-2025-62171: 
C# vulnerability analysis and mitigation

ImageMagick versions prior to 7.1.2-7 and 6.9.13-32 contain an integer overflow vulnerability in the BMP decoder on 32-bit systems. The vulnerability was discovered on October 17, 2025, and affects the BMP decoder functionality in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel (NVD, GitHub Advisory).

The vulnerability occurs when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with sizet of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytesper_line calculation to become zero. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, while GitHub rates it at 5.9 (MEDIUM) (NVD).

This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability can lead to denial of service conditions when processing specially crafted BMP files (GitHub Advisory).

The vulnerability has been fixed in ImageMagick versions 7.1.2-7 and 6.9.13-32. Users are advised to upgrade to these versions or later. For systems that cannot be immediately upgraded, maintaining default ImageMagick resource limits provides protection against this vulnerability (NVD).