CVE-2025-55005

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, when preparing to transform from Log to sRGB colorspaces, the logmap construction fails to handle cases where the reference-black or reference-white value is larger than 1024. This leads to corrupting memory beyond the end of the allocated logmap buffer. This issue has been patched in version 7.1.2-1.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29

{

Add a restrictive policy to /etc/ImageMagick-7/policy.xml (or ~/.config/ImageMagick/policy.xml for user installs):

<policymap>
  <policy domain="coder" rights="none" pattern="{LOGLUV,LOGLUV24,LOGLUV32}" />
</policymap>

Restart any application servers (PHP-FPM, Passenger, etc.) using ImageMagick. Verify with:

identify -list policy | grep -i log

This blocks TIFF Log colorspace decoding entirely. Rollback: comment out the policy lines and restart. Test legitimate workflows first—some scientific imaging uses Log colorspace.

}

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`0`
debian	bullseye	fixed	`0`
debian	forky	fixed	`8:7.1.2.1+dfsg1-1`
debian	sid	fixed	`8:7.1.2.1+dfsg1-1`
debian	trixie	fixed	`8:7.1.1.43+dfsg1-1+deb13u2`
sles		affected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.