CVE-2025-27598
Out-of-bounds Write vulnerability in SixLabors.ImageSharp (NuGet)
What is CVE-2025-27598 About?
This vulnerability is an Out-of-bounds Write in the ImageSharp gif decoder, which allows attackers to cause a crash. By using a specially crafted GIF image, an attacker can trigger a denial of service. Exploitation is facilitated by the processing of malicious image files.
Affected Software
- SixLabors.ImageSharp
- <2.1.10
- >3.0.0, <3.1.7
Technical Details
The ImageSharp library's GIF decoder contains an Out-of-bounds Write vulnerability. When processing a specially crafted GIF image, the decoder attempts to write data outside of its allocated memory buffer. This memory corruption typically leads to a program crash due to an invalid memory access, resulting in a denial of service condition. The malformed GIF structure manipulates the decoder's internal pointers or indices, causing it to access or write to an unauthorized memory location.
What is the Impact of CVE-2025-27598?
Successful exploitation may allow attackers to cause applications or services to become unresponsive or unavailable.
What is the Exploitability of CVE-2025-27598?
Exploitation of this vulnerability requires an attacker to provide a specially crafted GIF image to an application that uses the vulnerable ImageSharp library for image processing. No authentication or elevated privileges are necessary, as the vulnerability lies within the image decoding mechanism. The attack can be remote if the application accepts and processes user-supplied GIF files, for example, through web uploads or email attachments. The primary prerequisite is that the target system is configured to process GIF images using the affected library version. The risk of exploitation is higher in web applications or services that allow users to upload or display GIF content without robust input validation and sanitization, as an attacker can easily embed the malicious payload within a seemingly benign image file.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-27598?
Available Upgrade Options
- SixLabors.ImageSharp
- <2.1.10 → Upgrade to 2.1.10
- SixLabors.ImageSharp
- >3.0.0, <3.1.7 → Upgrade to 3.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/SixLabors/ImageSharp/issues/2859
- https://nvd.nist.gov/vuln/detail/CVE-2025-27598
- https://osv.dev/vulnerability/GHSA-2cmq-823j-5qj8
- https://github.com/SixLabors/ImageSharp/pull/2890
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-2cmq-823j-5qj8
- https://github.com/SixLabors/ImageSharp/issues/2859
- https://github.com/SixLabors/ImageSharp/pull/2890
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-2cmq-823j-5qj8
- https://github.com/SixLabors/ImageSharp
What are Similar Vulnerabilities to CVE-2025-27598?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-38545 , CVE-2023-38410 , CVE-2023-28485 , CVE-2023-28155
