CVE-2025-54575
MEDIUM5.3EPSS 0.34%SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
Published: 7/30/2025Modified: 7/31/2025
Description
### Impact A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. This leads to a denial of service. Applications processing untrusted GIF input should upgrade to a patched version. ### Patches The problem has been patched. All users are advised to upgrade to v3.1.11 or v2.1.11. ### Workarounds None.
Affected packages (1)
- NuGet/SixLabors.ImageSharpfrom 0, < 2.1.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54575
- PATCHhttps://github.com/SixLabors/ImageSharp
- WEBhttps://github.com/SixLabors/ImageSharp/commit/55e49262df9a057dff9b7807ed1b7bdb49187c3f
- WEBhttps://github.com/SixLabors/ImageSharp/commit/833f3ceec35af6b775950e06f03b934546cefbf6
- WEBhttps://github.com/SixLabors/ImageSharp/issues/2953
- WEBhttps://github.com/SixLabors/ImageSharp/security/advisories/GHSA-rxmq-m78w-7wmc