CVE-2025-27795
Published: 07 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-27795 is a vulnerability in the ReadJXLImage function within the JXL component of GraphicsMagick versions before 1.3.46, where image dimension resource limits are lacking. This issue, tied to CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 4.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L), indicating a medium-severity problem primarily affecting availability.
Local attackers can exploit this flaw with low attack complexity, requiring no privileges or user interaction. By providing a specially crafted JXL image, they can trigger resource exhaustion, leading to a denial-of-service condition with limited availability impact and changed scope due to interactions with the JXL library.
GraphicsMagick mitigates this vulnerability in version 1.3.46, as documented in the project's NEWS file and via commit 9bbae7314e3c3b19b830591010ed90bb136b9c42. Additional context from libjxl GitHub issues (e.g., #3792 and #3793) and an OSS-Fuzz report (#42536330) highlights discovery through fuzzing efforts.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables local resource exhaustion via a crafted JXL image in GraphicsMagick, directly facilitating Endpoint Denial of Service through Application or System Exploitation (T1499.004).