CVE-2025-57803: Critical Flaw in ImageMagick Could Lead to Remote Code Execution

The ImageMagick team has disclosed a critical vulnerability in its BMP encoder, tracked as CVE-2025-57803, which can lead to heap corruption and potentially remote code execution. Assigned a CVSS score of 9.8 (Critical), the flaw impacts 32-bit builds of ImageMagick prior to versions 7.1.2-2 and 6.9.13-28.

The issue is caused by a 32-bit integer overflow in the calculation of BMP scanline stride values. According to the advisory, “A 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images.”

This mismatch means that the encoder’s pointer moves forward incorrectly, causing attacker-controlled data to overflow into adjacent heap memory. The advisory describes it as “a classic, powerful primitive for heap corruption in common auto-convert pipelines.”

The vulnerability stems from unsafe stride arithmetic in the WriteBMPImage function (coders/bmp.c). The report explains:

• “Stage-1 multiply+add in (width * 24 + 31)” can overflow for images with a width of at least 178,956,970 pixels.
• When overflowed, bytes_per_line collapses to a small value, while row_bytes = 3 × width remains enormous.
• The result: “Immediate OOB [out-of-bounds] write during the first row, with attacker-supplied pixel bytes corrupting heap memory.”

In one test case, a chosen width of 178,957,200 pixels caused the encoder to allocate ~178 MB of memory but attempt to write 536 MB of data, overflowing almost immediately.

The advisory stresses the danger: “Primitive: Large, contiguous, attacker-controlled heap overwrite beginning at the scanline slot… Outcome: At minimum, deterministic crash (DoS). On many 32-bit allocators, well-understood heap shaping can escalate to RCE.”

This means attackers could weaponize the bug in scenarios where user-supplied images are automatically converted or processed server-side, such as:

• Web applications using ImageMagick in file upload pipelines.
• Automated thumbnail generators.
• Normalization processes in content management systems.

While 64-bit builds are immune to the integer overflow itself, the maintainers caution that additional checks are still necessary to guard against future DoS scenarios.

Affected:

• ImageMagick < 7.1.2-2
• ImageMagick < 6.9.13-28

Fixed:

• 7.1.2-2
• 6.9.13-28

Users running 32-bit builds must upgrade immediately.

Related Posts:

• PoC Published: A Format String Bug in ImageMagick Could Allow Remote Code Execution
• ImageMagick Flaw (CVE-2025-53101): Stack Buffer Overflow Allows Potential Remote Code Execution
• ImageMagick AppImage Vulnerability Opens Door to Arbitrary Code Execution
• CISA Alerts on Active Exploitation of Flaws in ImageMagick, Linux Kernel, and SonicWall
• ImageMagick Patches Multiple Flaws: High-Severity Memory Bugs Fixed