GHSA-jqq5-8px3-9m6m
MEDIUMImageMagick: Heap Buffer Over-Write in json and yaml encoder of a single byte due to incorrect fix
Blast Radius
Magick.NET-Q16-AnyCPU.NETMagick.NET-Q16-HDRI-AnyCPU.NETMagick.NET-Q16-HDRI-OpenMP-arm64.NETMagick.NET-Q16-HDRI-arm64.NETMagick.NET-Q16-HDRI-x64.NETMagick.NET-Q16-HDRI-x86.NETMagick.NET-Q16-OpenMP-arm64.NETMagick.NET-Q16-OpenMP-x64+9 moreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.
Description
An incorrect fix that was applied in GHSA-5592-p365-24xh could result in a heap buffer over-write of a single byte.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| .NETNuGet | Magick.NET-Q16-AnyCPU | all versions | 14.12.0 |
| .NETNuGet | Magick.NET-Q16-HDRI-AnyCPU | all versions | 14.12.0 |
| .NETNuGet | Magick.NET-Q16-HDRI-OpenMP-arm64 | all versions | 14.12.0 |
| .NETNuGet | Magick.NET-Q16-HDRI-arm64 | all versions | 14.12.0 |
| .NETNuGet | Magick.NET-Q16-HDRI-x64 | all versions | 14.12.0 |
| .NETNuGet | Magick.NET-Q16-HDRI-x86 | all versions | 14.12.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Magick.NET-Q16-AnyCPU. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update Magick.NET-Q16-AnyCPU to 14.12.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jqq5-8px3-9m6m is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-jqq5-8px3-9m6m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-jqq5-8px3-9m6m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-jqq5-8px3-9m6m in your dependencies?
O3 detects GHSA-jqq5-8px3-9m6m across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.