Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
.NET NuGet

GHSA-7rvh-xqp3-pr8j

MEDIUM

ImageMagick's failure to limit MVG mutual causes Stack Overflow

Also known asCVE-2025-68950
Published
Dec 30, 2025
Updated
Feb 4, 2026
Affected
17 pkgs
Patched
17 / 17
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk6th percentile+0.16%
0.00%0.22%0.44%0.66%0.0%0.2%Jan 26Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

17 pkgs affected
.NETMagick.NET-Q16-AnyCPU.NETMagick.NET-Q16-HDRI-AnyCPU.NETMagick.NET-Q16-HDRI-OpenMP-arm64.NETMagick.NET-Q16-HDRI-OpenMP-x64.NETMagick.NET-Q16-HDRI-arm64.NETMagick.NET-Q16-HDRI-x64.NETMagick.NET-Q16-HDRI-x86.NETMagick.NET-Q16-OpenMP-arm64+9 more

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.

Description

Summary

Magick fails to check for circular references between two MVGs, leading to a stack overflow.

Details

After reading mvg1 using Magick, the following is displayed:

./magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3564123==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589549a4458 bp 0x7ffcc61f34a0 sp 0x7ffcc61efdd0 T0)
    #0 0x5589549a4458 in GetImagePixelCache MagickCore/cache.c:1726
    #1 0x5589549b02c1 in QueueAuthenticPixelCacheNexus MagickCore/cache.c:4261
    #2 0x5589549a2f24 in GetAuthenticPixelCacheNexus MagickCore/cache.c:1368
    #3 0x5589549bae98 in GetCacheViewAuthenticPixels MagickCore/cache-view.c:311
    #4 0x558954afb3a5 in DrawPolygonPrimitive._omp_fn.1 MagickCore/draw.c:5172
    #5 0x7f62dd89fa15 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x14a15)
    #6 0x558954ae0f41 in DrawPolygonPrimitive MagickCore/draw.c:5156
    #7 0x558954ae5607 in DrawPrimitive MagickCore/draw.c:5875
    #8 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #9 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #10 0x55895496cedb in RenderFreetype MagickCore/annotate.c:2065
    #11 0x55895496702e in RenderType MagickCore/annotate.c:1112
    #12 0x558954963da7 in AnnotateImage MagickCore/annotate.c:544
    #13 0x558954ae4e0a in DrawPrimitive MagickCore/draw.c:5799
    #14 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #15 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #16 0x558954755a46 in ReadMVGImage coders/mvg.c:240
    #17 0x558954a15ecc in ReadImage MagickCore/constitute.c:743
    #18 0x558954ae3c76 in DrawPrimitive MagickCore/draw.c:5705
    #19 0x558954adc72d in RenderMVGContent MagickCore/draw.c:4522
    #20 0x558954adcf67 in DrawImage MagickCore/draw.c:4561
    #21 0x558954755a46 in ReadMVGImage coders/mvg.c:240
    ...

Impact

This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected.

Affected Packages

17 total 17 fixed
EcosystemPackageVulnerable rangeFix
.NETNuGetMagick.NET-Q16-AnyCPUall versions14.10.1
.NETNuGetMagick.NET-Q16-HDRI-AnyCPUall versions14.10.1
.NETNuGetMagick.NET-Q16-HDRI-OpenMP-arm64all versions14.10.1
.NETNuGetMagick.NET-Q16-HDRI-OpenMP-x64all versions14.10.1
.NETNuGetMagick.NET-Q16-HDRI-arm64all versions14.10.1
.NETNuGetMagick.NET-Q16-HDRI-x64all versions14.10.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Magick.NET-Q16-AnyCPU. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update Magick.NET-Q16-AnyCPU to 14.10.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7rvh-xqp3-pr8j is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-7rvh-xqp3-pr8j is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-7rvh-xqp3-pr8j. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Magick fails to check for circular references between two MVGs, leading to a stack overflow. ### Details After reading mvg1 using Magick, the following is displayed: ``` ./magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png AddressSanitizer:DEADLYSIGNAL ================================================================= ==3564123==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589549a4458 bp 0x7ffcc61f34a0 sp 0x7ffcc61efdd0 T0) #0 0x5589549a4458 in GetImagePixelCache MagickCore/cache.c:1726 #1 0x5589549b02c1 in QueueA
O3 Security · Impact-Aware SCA

Is GHSA-7rvh-xqp3-pr8j in your dependencies?

O3 detects GHSA-7rvh-xqp3-pr8j across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works