CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-68950

CVE-2025-68950: The Ouroboros of Graphics - ImageMagick Recursive DoS

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·5 min read·23 visits

Executive Summary (TL;DR)

ImageMagick forgot to stop MVG files from loading other MVG files. By creating two tiny text files that reference each other, an attacker can trigger infinite recursion, exhausting the stack and crashing the process. Fix: Upgrade to 7.1.2-12 or disable the MVG coder in policy.xml.

A classic recursion vulnerability in ImageMagick's MVG (Magick Vector Graphics) parser allows for infinite loops via self-referential image primitives. While officially rated as 'Local' access, this creates a trivial Denial of Service vector for any web application processing user-uploaded images.

Official Patches

ImageMagickOfficial patch commit on GitHub

Fix Analysis (1)

Technical Appendix

CVSS Score
4.0/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Probability
0.01%
Top 100% most exploited

Affected Systems

ImageMagick < 7.1.2-12Web applications utilizing ImageMagick for image processingContent Management Systems (CMS) with image upload features

Affected Versions Detail

Product
Affected Versions
Fixed Version
ImageMagick
ImageMagick Studio LLC
< 7.1.2-127.1.2-12
AttributeDetail
CWE IDCWE-674 (Uncontrolled Recursion)
CVSS v3.14.0 (Medium)
Attack VectorLocal (Remote via Upload)
ImpactDenial of Service (Stack Exhaustion)
EPSS Score0.00013
Patch Commit204718c

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1203Exploitation for Client Execution
Execution
CWE-674
Uncontrolled Recursion

Known Exploits & Detection

Manual AnalysisTwo-file circular dependency MVG PoC demonstrated in report.

Vulnerability Timeline

Patch Committed to GitHub
2024-02-12
CVE Published
2025-02-18

References & Sources

  • [1]ImageMagick GitHub Repository
  • [2]NVD Entry for CVE-2025-68950

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•20 minutes ago•CVE-2026-50020
5.3

CVE-2026-50020: HTTP Request Smuggling in Netty HttpObjectDecoder via Arbitrary Leading Control Bytes

CVE-2026-50020 is a medium-severity HTTP Request Smuggling/Response Smuggling vulnerability (CWE-444) within the Netty asynchronous network application framework. The flaw resides in Netty's HTTP codec implementation, specifically the HttpObjectDecoder class, which silently consumes arbitrary ISO control bytes preceding the first request line.

Alon Barad
Alon Barad
0 views•7 min read
•about 1 hour ago•CVE-2026-50560
6.9

CVE-2026-50560: Denial of Service in Netty HTTP/2 Codec via Max Header List Size Exception

CVE-2026-50560 describes a vulnerability in Netty's HTTP/2 codec implementation. When acting as an intermediary (such as a reverse proxy, API gateway, or edge server), Netty can be forced into an application-level Denial-of-Service condition. The attack is triggered by negotiating a restrictive SETTINGS_MAX_HEADER_LIST_SIZE from the client, causing Netty to process incoming requests fully, but subsequently crash or abort during outbound response serialization. This results in an asymmetrical consumption of resources on backend systems and thread starvation within the Netty event loop.

Alon Barad
Alon Barad
1 views•6 min read
•about 1 hour ago•CVE-2026-11417
7.3

CVE-2026-11417: OS Command Injection in AWS CDK NodejsFunction Bundling Pipeline

A critical supply-chain OS command injection vulnerability exists in the NodejsFunction local bundling pipeline within the AWS Cloud Development Kit (CDK) library (aws-cdk-lib) before version 2.245.0 (and before 2.246.0 on Windows systems). The vulnerability allows a threat actor who can control any of several bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary operating system commands on the host machine running the CDK compilation or deployment toolchain (e.g., during cdk synth, cdk deploy, or cdk diff).

Amit Schendel
Amit Schendel
2 views•9 min read
•about 2 hours ago•GHSA-RQ7W-G337-39QQ
6.5

GHSA-RQ7W-G337-39QQ: Project Directory Path and Workspace UUID Disclosure in Nuxt Dev Server

A security vulnerability in the Nuxt development server allows unauthenticated local or cross-origin attackers to retrieve the host machine's absolute project directory path and a persistent Chrome DevTools workspace UUID. The issue stems from an unprotected endpoint registered at `/.well-known/appspecific/com.chrome.devtools.json` which does not validate the HTTP Host, Origin, or Referer headers.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 3 hours ago•CVE-2026-48525
5.3

CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification

PyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.

Alon Barad
Alon Barad
3 views•6 min read
•about 4 hours ago•GHSA-WQVQ-JVPQ-H66F
5.4

GHSA-WQVQ-JVPQ-H66F: Security Control Bypass in Nodemailer via Transport Serialization

Nodemailer prior to version 8.0.9 contains a security control bypass vulnerability. Transport-level configuration parameters designed to restrict local file system access and remote URL requests are not propagated to all content-resolution execution paths. This failure allows unauthorized local file inclusion and server-side request forgery when the application utilizes specific transports or processing flags.

Alon Barad
Alon Barad
2 views•6 min read