SB2025041830 - Multiple vulnerabilities in GraphicsMagick
Published: April 18, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2025-32460)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a heap-based buffer over-read in ReadJXLImage() function in coders/jxl.c, related to an ImportViewPixelArea call. A remote attacker can pass specially crafted image to the application and perform a denial of service attack.
2) Resource exhaustion (CVE-ID: CVE-2025-27795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the ReadJXLImage() function. A remote attacker can pass a specially crafted image to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/8e56520435df50f618a03f2721a39a70a515f1cb
- https://issues.oss-fuzz.com/issues/406320404
- https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/9bbae7314e3c3b19b830591010ed90bb136b9c42
- https://github.com/libjxl/libjxl/issues/3792#issuecomment-2330978387
- https://github.com/libjxl/libjxl/issues/3793#issuecomment-2334843280
- https://issues.oss-fuzz.com/issues/42536330#comment6