A flaw in ImageMagick allows the conversion of a multi‑layer nested MVG file to SVG without validating the depth of the nested structure. This oversight can cause an allocation of excessive system resources, leading to a denial‑of‑service condition for the process that performed the conversion. The weakness is categorized as CWE‑1284 and CWE‑400, reflecting improper input handling and resource exhaustion. An attacker who can supply a crafted MVG file can trigger the crash or freeze of the ImageMagick instance, potentially impacting services that rely on image conversion.

The vulnerability is present in any ImageMagick installation before version 7.1.2‑15 or 6.9.13‑40. It also affects applications using the .NET wrapper Magick.NET on versions prior to 14.10.3, as indicated by the associated CPE strings for dlemstra:magick.net and imagemagick:imagemagick. Updated releases of both the core library and the wrapper contain the patch.

With a CVSS score of 5.3, the threat is classified as moderate. The EPSS score of less than 1% suggests that actual exploitation is uncommon at present, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a local or remote consumer of ImageMagick that processes an MVG file supplied by an attacker; if the process is exposed to untrusted input this could lead to a service disruption. The missing check allows an attacker to trigger excessive memory or processing demands, thereby exhausting system resources.