Ddos 
Security researcher Lumina Mescuwa has disclosed a critical vulnerability in ImageMagick, tracked as CVE-2025-57807 (CVSS 9.8). The flaw stems from a contract mismatch in BlobStream’s SeekBlob() and WriteBlob() functions, leading to a heap out-of-bounds write that attackers can exploit to corrupt memory and potentially execute arbitrary code.
ImageMagick is one of the most widely used image-processing libraries, powering countless applications, websites, and services. The flaw lies within its MagickCore blob subsystem, specifically the SeekBlob() and WriteBlob() routines.
As the report explains, “SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds.”
In simple terms, this means that by seeking forward in memory and then writing data, an attacker can reliably overwrite memory outside the allocated buffer.
The vulnerability enables attackers to write controlled bytes at controlled offsets, a powerful primitive for exploit development. The researcher demonstrated exploitation with a simple test: initializing a 1-byte buffer, seeking forward 256 MiB, and writing a few bytes—immediately causing heap corruption.
As noted in the analysis, “Once a forward seek past end occurs, the first subsequent write reliably corrupts memory.”
Mescuwa has also released a proof-of-concept exploit for CVE-2025-57807, confirming the bug’s reliability in triggering heap overflows without requiring wraparound arithmetic, external delegates, or specific policy settings.
The flaw is particularly dangerous because of its potential reach:
- Any encode-to-memory flow that seeks forward before writing (e.g., header back-patching or reserved-space techniques) could hit this bug.
- Even if current ImageMagick encoders don’t use this pattern, the API permits it, creating a latent sink for both first- and third-party developers.
The ImageMagick team has addressed the issue in:
- 7.1.2-3
- 6.9.13-29
All users and projects that integrate ImageMagick are strongly urged to upgrade immediately.
Donate