VIR Vulnerability Intelligence Relay

CVE-2025-55005

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, when preparing to transform from Log to sRGB colorspaces, the logmap construction fails to handle cases where the reference-black or reference-white value is larger than 1024. This leads to corrupting memory beyond the end of the allocated logmap buffer. This issue has been patched in version 7.1.2-1.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29
{

Add a restrictive policy to /etc/ImageMagick-7/policy.xml (or ~/.config/ImageMagick/policy.xml for user installs):

<policymap>
  <policy domain="coder" rights="none" pattern="{LOGLUV,LOGLUV24,LOGLUV32}" />
</policymap>

Restart any application servers (PHP-FPM, Passenger, etc.) using ImageMagick. Verify with:

identify -list policy | grep -i log

This blocks TIFF Log colorspace decoding entirely. Rollback: comment out the policy lines and restart. Test legitimate workflows first—some scientific imaging uses Log colorspace.

}

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
Affected
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 8:7.1.1.43+dfsg1-1+deb13u2
sid Fixed 8:7.1.2.1+dfsg1-1
forky Fixed 8:7.1.2.1+dfsg1-1
bullseye Fixed 0
bookworm Fixed 0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.