Infinite Loops, Finite Stacks: Parsing CVE-2025-68618 in ImageMagick

Amit Schendel

Senior Security Researcher

Jan 1, 2026·6 min read·13 visits

PoC Available

Executive Summary (TL;DR)

ImageMagick < 7.1.2-12 is vulnerable to Denial of Service (DoS) via uncontrolled recursion. By feeding the parser an SVG or MSL file with thousands of nested elements (like `<g><g><g>...`), an attacker can trigger a stack overflow or excessive memory allocation, crashing the process. The fix involves implementing a hard limit on recursion depth.

A classic recursion exhaustion vulnerability in ImageMagick's SVG and MSL parsers allows attackers to crash services via deeply nested XML structures.

Attack Flow Diagram

Official Patches

ImageMagickOfficial patch on GitHub

Fix Analysis (1)

Technical Appendix

CVSS Score

5.3/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

0.04%

Top 90% most exploited

Affected Systems

ImageMagick < 7.1.2-12Web applications handling SVG uploadsDocument conversion pipelinesThumbnail generation services

Affected Versions Detail

Product	Affected Versions	Fixed Version
ImageMagick ImageMagick Studio LLC	< 7.1.2-12	7.1.2-12

Attribute	Detail
CWE	CWE-674 (Uncontrolled Recursion)
Attack Vector	Local / Network (File Upload)
CVSS	5.3 (Medium)
Impact	Denial of Service (DoS)
Component	coders/svg.c, coders/msl.c
Exploit Status	Proof of Concept Available

MITRE ATT&CK Mapping

T1499.003Endpoint Denial of Service: Application or System Exploitation

Impact

T1190Exploit Public-Facing Application

Initial Access

CWE-674

Uncontrolled Recursion

The software does not correctly limit the number of recursive calls, allowing an attacker to cause a crash by exhausting the stack.

Known Exploits & Detection

Advisory AnalysisConstructing deep XML trees (20k+ tags) triggers the recursion limit.

Vulnerability Timeline

Patch Committed to GitHub

2025-01-20

Analysis Generated

2025-02-13