CVE-2025-68950
4.00.01%
CVE-2025-68950: The Ouroboros of Graphics - ImageMagick Recursive DoS
Alon Barad
Software EngineerJan 1, 2026·5 min read·4 visits
PoC Available
Executive Summary (TL;DR)
ImageMagick forgot to stop MVG files from loading other MVG files. By creating two tiny text files that reference each other, an attacker can trigger infinite recursion, exhausting the stack and crashing the process. Fix: Upgrade to 7.1.2-12 or disable the MVG coder in policy.xml.
A classic recursion vulnerability in ImageMagick's MVG (Magick Vector Graphics) parser allows for infinite loops via self-referential image primitives. While officially rated as 'Local' access, this creates a trivial Denial of Service vector for any web application processing user-uploaded images.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
4.0/ 10
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LEPSS Probability
0.01%
Top 100% most exploited
Affected Systems
ImageMagick < 7.1.2-12Web applications utilizing ImageMagick for image processingContent Management Systems (CMS) with image upload features
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
ImageMagick ImageMagick Studio LLC | < 7.1.2-12 | 7.1.2-12 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-674 (Uncontrolled Recursion) |
| CVSS v3.1 | 4.0 (Medium) |
| Attack Vector | Local (Remote via Upload) |
| Impact | Denial of Service (Stack Exhaustion) |
| EPSS Score | 0.00013 |
| Patch Commit | 204718c |
MITRE ATT&CK Mapping
CWE-674
Uncontrolled Recursion
Known Exploits & Detection
Vulnerability Timeline
Patch Committed to GitHub
2024-02-12
CVE Published
2025-02-18