CVE-2025-68950: The Ouroboros of Graphics - ImageMagick Recursive DoS

Alon Barad

Software Engineer

Jan 1, 2026·5 min read·2 visits

PoC Available

Executive Summary (TL;DR)

ImageMagick forgot to stop MVG files from loading other MVG files. By creating two tiny text files that reference each other, an attacker can trigger infinite recursion, exhausting the stack and crashing the process. Fix: Upgrade to 7.1.2-12 or disable the MVG coder in policy.xml.

A classic recursion vulnerability in ImageMagick's MVG (Magick Vector Graphics) parser allows for infinite loops via self-referential image primitives. While officially rated as 'Local' access, this creates a trivial Denial of Service vector for any web application processing user-uploaded images.

Attack Flow Diagram

Official Patches

ImageMagickOfficial patch commit on GitHub

Fix Analysis (1)

Technical Appendix

CVSS Score

4.0/ 10

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

0.01%

Top 100% most exploited

Affected Systems

ImageMagick < 7.1.2-12Web applications utilizing ImageMagick for image processingContent Management Systems (CMS) with image upload features

Affected Versions Detail

Product	Affected Versions	Fixed Version
ImageMagick ImageMagick Studio LLC	< 7.1.2-12	7.1.2-12

Attribute	Detail
CWE ID	CWE-674 (Uncontrolled Recursion)
CVSS v3.1	4.0 (Medium)
Attack Vector	Local (Remote via Upload)
Impact	Denial of Service (Stack Exhaustion)
EPSS Score	0.00013
Patch Commit	204718c

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service

Impact

T1203Exploitation for Client Execution

Execution

CWE-674

Uncontrolled Recursion

Known Exploits & Detection

Manual AnalysisTwo-file circular dependency MVG PoC demonstrated in report.

Vulnerability Timeline

Patch Committed to GitHub

2024-02-12

CVE Published

2025-02-18

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.