CVE-2025-54575
Denial of Service vulnerability in SixLabors.ImageSharp (NuGet)
What is CVE-2025-54575 About?
A specially crafted GIF file can cause the ImageSharp GIF decoder to enter an infinite loop, leading to a denial of service (DoS). This vulnerability allows attackers to make the application unresponsive. Exploitation is straightforward, requiring only the submission of a malicious GIF.
Affected Software
- SixLabors.ImageSharp
- <2.1.11
- >3.0.0, <3.1.11
Technical Details
The ImageSharp GIF decoder is susceptible to an infinite loop condition when processing a specially crafted GIF file. Specifically, if a GIF file contains a malformed comment extension block where the block terminator is missing, the decoder's logic for skipping this block becomes entrapped in an endless loop. This consumes CPU resources indefinitely, causing the application to become unresponsive and leading to a denial of service. The vulnerability is triggered during the parsing of the GIF structure.
What is the Impact of CVE-2025-54575?
Successful exploitation may allow attackers to cause a denial of service, leading to system instability or unresponsiveness.
What is the Exploitability of CVE-2025-54575?
Exploitation involves creating a GIF file with a specific malformation (missing block terminator in a comment extension block) and providing it to a system using the vulnerable library. This is a low-complexity attack requiring no authentication or special privileges. It primarily targets systems processing untrusted GIF input. Risk factors include web applications or services that accept image uploads from users or external sources without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-54575?
Available Upgrade Options
- SixLabors.ImageSharp
- <2.1.11 → Upgrade to 2.1.11
- SixLabors.ImageSharp
- >3.0.0, <3.1.11 → Upgrade to 3.1.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-rxmq-m78w-7wmc
- https://github.com/SixLabors/ImageSharp/commit/55e49262df9a057dff9b7807ed1b7bdb49187c3f
- https://github.com/SixLabors/ImageSharp/issues/2953
- https://nvd.nist.gov/vuln/detail/CVE-2025-54575
- https://github.com/SixLabors/ImageSharp/commit/833f3ceec35af6b775950e06f03b934546cefbf6
- https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-rxmq-m78w-7wmc
- https://github.com/SixLabors/ImageSharp/issues/2953
- https://osv.dev/vulnerability/GHSA-rxmq-m78w-7wmc
- https://github.com/SixLabors/ImageSharp/commit/55e49262df9a057dff9b7807ed1b7bdb49187c3f
- https://github.com/SixLabors/ImageSharp/commit/833f3ceec35af6b775950e06f03b934546cefbf6
What are Similar Vulnerabilities to CVE-2025-54575?
Similar Vulnerabilities: CVE-2025-27598 , CVE-2024-41132 , CVE-2024-41131 , CVE-2025-3857 , CVE-2024-40667
