CVE-2025-54575 (Medium) detected in sixlabors.imagesharp.2.1.7.nupkg

[mend-bolt-for-github]

CVE-2025-54575 - Medium Severity Vulnerability

Vulnerable Library - sixlabors.imagesharp.2.1.7.nupkg

A new, fully featured, fully managed, cross-platform, 2D graphics API for .NET

Library home page: https://api.nuget.org/packages/sixlabors.imagesharp.2.1.7.nupkg

Path to dependency file: /optimizely/samples/AlloySampleSite/AlloySampleSite.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/sixlabors.imagesharp/2.1.7/sixlabors.imagesharp.2.1.7.nupkg

Dependency Hierarchy:

• EPiServer.CMS-12.31.2 (Root Library)
  • EPiServer.ImageLibrary.ImageSharp-1.0.1
    • ❌ sixlabors.imagesharp.2.1.7.nupkg (Vulnerable Library)

Found in HEAD commit: 4c0d66e652f2e75affbfe88ce30e356bbe2e9f7d

Found in base branch: master

Vulnerability Details

ImageSharp is a 2D graphics library. In versions below 2.1.11 and 3.0.0 through 3.1.10, a specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. This leads to a denial of service. Applications processing untrusted GIF input should upgrade to a patched version. This issue is fixed in versions 2.1.11 and 3.1.11.

Publish Date: 2025-07-30

URL: CVE-2025-54575

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here