CVE-2025-68618

Infinite Loops, Finite Stacks: Parsing CVE-2025-68618 in ImageMagick

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·6 min read·9 visits

Executive Summary (TL;DR)

ImageMagick < 7.1.2-12 is vulnerable to Denial of Service (DoS) via uncontrolled recursion. By feeding the parser an SVG or MSL file with thousands of nested elements (like `<g><g><g>...`), an attacker can trigger a stack overflow or excessive memory allocation, crashing the process. The fix involves implementing a hard limit on recursion depth.

A classic recursion exhaustion vulnerability in ImageMagick's SVG and MSL parsers allows attackers to crash services via deeply nested XML structures.

Official Patches

ImageMagickOfficial patch on GitHub

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Probability
0.04%
Top 90% most exploited

Affected Systems

ImageMagick < 7.1.2-12Web applications handling SVG uploadsDocument conversion pipelinesThumbnail generation services

Affected Versions Detail

Product
Affected Versions
Fixed Version
ImageMagick
ImageMagick Studio LLC
< 7.1.2-127.1.2-12
AttributeDetail
CWECWE-674 (Uncontrolled Recursion)
Attack VectorLocal / Network (File Upload)
CVSS5.3 (Medium)
ImpactDenial of Service (DoS)
Componentcoders/svg.c, coders/msl.c
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1499.003Endpoint Denial of Service: Application or System Exploitation
Impact
T1190Exploit Public-Facing Application
Initial Access
CWE-674
Uncontrolled Recursion

The software does not correctly limit the number of recursive calls, allowing an attacker to cause a crash by exhausting the stack.

Known Exploits & Detection

Advisory AnalysisConstructing deep XML trees (20k+ tags) triggers the recursion limit.

Vulnerability Timeline

Patch Committed to GitHub
2025-01-20
Analysis Generated
2025-02-13