CVE-2025-62594: 
C# vulnerability analysis and mitigation

A vulnerability in ImageMagick's CLAHE (Contrast Limited Adaptive Histogram Equalization) implementation has been identified as CVE-2025-62594. The vulnerability affects ImageMagick versions below 7.1.2-7 and stems from improper handling of tile width/height parameters becoming zero in the CLAHEImage() function of MagickCore/enhance.c (GitHub Advisory).

The vulnerability manifests through two distinct but related unsafe behaviors in the CLAHE implementation. First, an unsigned integer underflow occurs when tileinfo.height equals 0, causing tileinfo.height - 1 to wrap to a very large value, leading to out-of-bounds pointer arithmetic. Second, a division-by-zero vulnerability exists where operations are performed using tileinfo.width or tileinfo.height without proper zero-value validation. The vulnerability has received a CVSS v3.1 score of 4.7 (Moderate) with a vector string of CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (GitHub Advisory).

The primary impact is a Denial-of-Service (DoS) condition, which can manifest as either a crash or sustained resource exhaustion through memory/cache thrashing when processing crafted parameters or small images via CLI or API. While theoretical secondary impacts include potential memory corruption through out-of-bounds memory accesses, no reliable code execution has been demonstrated (GitHub Advisory).

The vulnerability has been patched in ImageMagick version 7.1.2-8. The fix includes implementing proper input validation and bounds checks for tile dimensions before performing division or pointer arithmetic operations. Users are advised to upgrade to this version or later (GitHub Advisory).