Squidex Backend Contains 83 Vulnerabilities in ImageMagick Dependency Stack; Highest CVSS Reaches 8.8

A security scan of the Squidex open-source content management platform has identified a critical dependency exposure in its backend codebase. The library squidex.assets.imagemagick version 6.22.0 carries 83 known vulnerabilities, with the highest severity rated at 8.8 on the CVSS scale—firmly in the high-risk category. Crucially, the scan classifies these findings as reachable, meaning the vulnerable code paths are actively used by the application and could theoretically be exploited by a determined attacker.

The vulnerability chain originates from magick.net-q8-anycpu version 14.2.0, a transitive dependency that the Squidex project imports indirectly through its own ImageMagick asset-handling wrapper. One specific flaw, tracked as CVE-2025-55154, carries the peak severity of 8.8 and remains unfixed with no remediation path currently documented in the scan results. The findings, pulled from the Mend vulnerability database, represent only a partial snapshot—23 of an estimated 83 total findings—due to reporting limitations on the GitHub Issues interface.

The exposure centers on Squidex's asset processing pipeline, which relies on ImageMagick bindings to handle image uploads and transformations within the CMS. If exploited, an attacker could potentially craft malicious image files to trigger memory corruption or arbitrary code execution on servers running affected configurations. Security teams using Squidex in production should immediately assess reachability of the vulnerable paths, evaluate compensating controls, and monitor the Mend platform for updated remediation guidance as the 60-day coordinated disclosure window progresses.